# Authentication & Security

Luciq MCP supports two authentication methods. **OAuth is recommended** for interactive use; token-based auth is available for automation and CI/CD.

***

## OAuth 2.0 (Recommended)

When you connect your IDE to Luciq MCP, OAuth handles everything automatically:

1. Your IDE sends a request to the Luciq MCP server
2. Your browser opens to the Luciq authorization page
3. Log in with your Luciq account and approve access
4. Your IDE stores the credentials - this is a one-time step

OAuth uses **Dynamic Client Registration** (DCR), so no pre-configuration or API keys are needed. Your IDE registers itself automatically during the authorization flow.

### Revoking OAuth Access

When you authenticate via OAuth, a token is generated automatically. To revoke access:

1. Go to **Account Management > Luciq MCP** in your dashboard
2. Switch to the **Token** tab
3. Delete the active token

Deleting the token cancels all credentials associated with your account, including those generated through the OAuth flow. The next time your IDE tries to connect, it will prompt you to re-authorize.

***

## Token-Based Authentication

For environments where interactive OAuth isn't practical - CI/CD pipelines, remote terminals, automated agent workflows, or programmatic integrations.

### Getting a Token

1. Go to **Account Management > Luciq MCP** in your Luciq dashboard
2. Switch to the **Token** tab
3. Click **Generate authentication token**
4. Copy the token immediately (it's shown once for security)

![Token generation on the Luciq MCP settings page](/files/v2ESfYtcJGnhiYj7OHkI)

### Using the Token

Add the `Email` and `Token` headers to your MCP server configuration:

```json
"luciq": {
  "url": "https://api.luciq.ai/api/mcp",
  "headers": {
    "Email": "your-email@company.com",
    "Token": "your-authentication-token"
  }
}
```

{% hint style="warning" %}
**Keep your tokens safe.** Never commit tokens to version control, share them in Slack or email, or include them in public documentation. If a token is compromised, revoke it immediately from your MCP settings.
{% endhint %}

### Rotating Tokens

Generate a new token from the MCP settings page at any time. Previous tokens can be revoked from the same page.

***

## Permissions & RBAC

MCP access respects your existing Luciq role-based access controls:

* **App-level access:** You can only query data for apps your Luciq account has permissions for
* **Environment-level access:** Production, beta, staging, and other environments follow your existing permission model
* **Role inheritance:** MCP tools inherit the same permissions as the Luciq dashboard - no separate MCP-specific roles
* **Admin control:** Workspace admins manage access through standard Luciq team settings

If you're seeing "App not found" or missing data, check with your workspace admin to verify your permissions.

***

## Security Overview

| Aspect             | Detail                                                                  |
| ------------------ | ----------------------------------------------------------------------- |
| **Transport**      | HTTPS (TLS 1.2+), Streamable HTTP protocol                              |
| **Authentication** | OAuth 2.0 with Dynamic Client Registration (recommended) or token-based |
| **Authorization**  | RBAC - inherits your Luciq workspace permissions                        |
| **Data access**    | **Read-only** - all current tools are read-only                         |
| **Source code**    | No source code is accessed, transmitted, or stored                      |
| **Audit logging**  | All MCP tool calls are logged for compliance and auditing               |
| **Data residency** | Data stays within your Luciq workspace region                           |

### What Data Does MCP Access?

MCP tools query the same observability data available in your Luciq dashboard:

* Crash reports, stack traces, and occurrence data
* App hang / freeze reports
* User-reported bug reports (submitted via the Luciq SDK)
* App store reviews and ratings
* Application metadata (names, platforms, environments)

MCP does **not** access:

* Source code or repository contents
* User PII beyond what's already in crash/bug reports (email, device info)
* SDK configuration or integration settings
* Billing or account information

***

## Clustered Tenants

If your organization uses a dedicated Luciq cluster, your MCP endpoint URL may differ from the default. Contact your Luciq admin or reach out to <support@luciq.ai> for your cluster-specific endpoint.

***

## Enterprise & Compliance

For enterprise security reviews, compliance questionnaires, or custom deployment requirements, contact <support@luciq.ai>.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.luciq.ai/product-guides-and-integrations/product-guides/ai-features/luciq-mcp-server/authentication-and-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.