> For the complete documentation index, see [llms.txt](https://docs.luciq.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.luciq.ai/product-guides-and-integrations/product-guides/ai-features/luciq-mcp-server/authentication-and-security.md).

# Authentication & Security

Luciq MCP supports two authentication methods. **OAuth is recommended** for interactive use; token-based auth is available for automation and CI/CD.

***

## OAuth 2.0 (Recommended)

When you connect your IDE to Luciq MCP, OAuth handles everything automatically:

1. Your IDE discovers the authorization server (via the standard `/.well-known/oauth-protected-resource` and `/.well-known/oauth-authorization-server` metadata)
2. Your browser opens to the Luciq authorization page
3. Log in with your Luciq account and approve access
4. Your IDE exchanges the authorization code for a token and stores it - this is a one-time step

OAuth uses the **authorization-code grant with PKCE** (`S256`) and **Dynamic Client Registration** (DCR), so no pre-configuration, client secrets, or API keys are needed. Your IDE registers itself and reports its client name automatically during the authorization flow, that's the name you'll see on the consent screen.

### Revoking OAuth Access

When you authenticate via OAuth, a token is generated automatically. To revoke access:

1. Go to **Account Management > Luciq MCP** in your dashboard
2. Switch to the **Token** tab
3. Delete the active token

Deleting the token cancels all credentials associated with your account, including those generated through the OAuth flow. The next time your IDE tries to connect, it will prompt you to re-authorize.

***

## Token-Based Authentication

For environments where interactive OAuth isn't practical - CI/CD pipelines, remote terminals, automated agent workflows, or programmatic integrations.

### Getting a Token

1. Go to **Account Management > Luciq MCP** in your Luciq dashboard
2. Switch to the **Token** tab
3. Click **Generate authentication token**
4. Copy the token immediately (it's shown once for security)

![Token generation on the Luciq MCP settings page](/files/v2ESfYtcJGnhiYj7OHkI)

{% hint style="info" %}
**One token per account, shown once.** Each developer has a single MCP token. The full value is displayed only at generation, after that the settings page shows just a short hint (the last few characters) so you can recognize it. To get a new token, **revoke the existing one first**, then generate again. The same token backs both header-based auth and the OAuth flow, so revoking it also signs out any connected IDE.
{% endhint %}

### Using the Token

Add the `Email` and `Token` headers to your MCP server configuration:

```json
"luciq": {
  "url": "https://api.luciq.ai/api/mcp",
  "headers": {
    "Email": "your-email@company.com",
    "Token": "your-authentication-token"
  }
}
```

{% hint style="warning" %}
**Keep your tokens safe.** Never commit tokens to version control, share them in Slack or email, or include them in public documentation. If a token is compromised, revoke it immediately from your MCP settings.
{% endhint %}

### Rotating Tokens

Generate a new token from the MCP settings page at any time. Previous tokens can be revoked from the same page.

***

## Permissions & RBAC

MCP access respects your existing Luciq role-based access controls. Authorization is enforced on every tool call in three layers:

1. **MCP access.** Your role must grant MCP access at all (the `account_management.mcp.view` permission). Without it, no tool will run.
2. **Per-tool permission.** Each tool maps to the same dashboard permission it would use in the UI. For example, `list_crashes` needs crash-list view access, `survey_details` needs both survey-details and survey-responses view access, and `update_bug` needs bug-modify access (plus an extra tag-modify permission when you change tags). If your role is missing the permission a tool needs, that call is rejected and the error names the missing permission.
3. **Plan entitlement.** Tools for a product your plan doesn't include (e.g. APM, Surveys, Crash Reporting) are rejected with a "not included in your plan" message.

Beyond those layers:

* **App-level access:** You can only query data for apps your Luciq account has permissions for
* **Environment-level access:** Production, beta, staging, and other environments follow your existing permission model
* **Role inheritance:** MCP tools inherit the same permissions as the Luciq dashboard - no separate MCP-specific roles
* **Admin control:** Workspace admins manage access through standard Luciq team settings

{% hint style="info" %}
**All tools are always listed, but not always callable.** Your client always sees the full set of 25 tools. Whether a given tool succeeds depends on your role and plan, checked at call time. So a tool you aren't entitled to won't disappear from the list, it will return a clear permission or plan error if you call it.
{% endhint %}

If you're seeing "App not found" or missing data, check with your workspace admin to verify your permissions.

***

## Security Overview

| Aspect             | Detail                                                                                                                 |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------- |
| **Transport**      | HTTPS (TLS 1.2+), Streamable HTTP protocol (JSON-RPC 2.0)                                                              |
| **Authentication** | OAuth 2.0 (authorization-code + PKCE, with Dynamic Client Registration) recommended, or header-based token             |
| **Authorization**  | RBAC - inherits your Luciq workspace permissions, plus plan-feature entitlement, checked on every tool call            |
| **Data access**    | **Read-only except `update_bug`,** which can modify a bug's triage state; all writes respect RBAC and are audit-logged |
| **Source code**    | No source code is accessed, transmitted, or stored                                                                     |
| **Audit logging**  | MCP write actions are logged for compliance and auditing, just like dashboard changes                                  |
| **Data residency** | Data stays within your Luciq workspace region                                                                          |

### What Data Does MCP Access?

MCP tools query the same observability data available in your Luciq dashboard:

* Crash reports, stack traces, diagnostics, and occurrence data
* App hang / freeze reports
* Performance (APM) metrics - network, launches, screen loads, flows, frame drops
* User-reported bug reports (submitted via the Luciq SDK)
* In-app surveys, NPS, and their responses
* App store reviews and ratings
* Aggregated app-health insights
* Unified Issues and prioritized Opportunities
* Application metadata (names, platforms, environments)

MCP does **not** access:

* Source code or repository contents
* User PII beyond what's already in crash/bug reports (email, device info)
* SDK configuration or integration settings
* Billing or account information

***

## Rate Limits

MCP requests are rate-limited per client (by IP). The default limit is **100 requests per 60 seconds**. If you exceed it, the server responds with a `429` and `Rate limit exceeded`, wait briefly and retry. In practice, conversational use stays well under this; only tight automated loops tend to approach it.

***

## Clustered Tenants

If your organization uses a dedicated Luciq cluster, your MCP endpoint URL may differ from the default. Contact your Luciq admin or reach out to <support@luciq.ai> for your cluster-specific endpoint.

***

## Enterprise & Compliance

For enterprise security reviews, compliance questionnaires, or custom deployment requirements, contact <support@luciq.ai>.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.luciq.ai/product-guides-and-integrations/product-guides/ai-features/luciq-mcp-server/authentication-and-security.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
