Authentication & Security
Luciq MCP supports two authentication methods. OAuth is recommended for interactive use; token-based auth is available for automation and CI/CD.
OAuth 2.0 (Recommended)
When you connect your IDE to Luciq MCP, OAuth handles everything automatically:
Your IDE sends a request to the Luciq MCP server
Your browser opens to the Luciq authorization page
Log in with your Luciq account and approve access
Your IDE stores the credentials - this is a one-time step
OAuth uses Dynamic Client Registration (DCR), so no pre-configuration or API keys are needed. Your IDE registers itself automatically during the authorization flow.
Revoking OAuth Access
When you authenticate via OAuth, a token is generated automatically. To revoke access:
Go to Account Management > Luciq MCP in your dashboard
Switch to the Token tab
Delete the active token
Deleting the token cancels all credentials associated with your account, including those generated through the OAuth flow. The next time your IDE tries to connect, it will prompt you to re-authorize.
Token-Based Authentication
For environments where interactive OAuth isn't practical - CI/CD pipelines, remote terminals, automated agent workflows, or programmatic integrations.
Getting a Token
Go to Account Management > Luciq MCP in your Luciq dashboard
Switch to the Token tab
Click Generate authentication token
Copy the token immediately (it's shown once for security)
Using the Token
Add the Email and Token headers to your MCP server configuration:
Keep your tokens safe. Never commit tokens to version control, share them in Slack or email, or include them in public documentation. If a token is compromised, revoke it immediately from your MCP settings.
Rotating Tokens
Generate a new token from the MCP settings page at any time. Previous tokens can be revoked from the same page.
Permissions & RBAC
MCP access respects your existing Luciq role-based access controls:
App-level access: You can only query data for apps your Luciq account has permissions for
Environment-level access: Production, beta, staging, and other environments follow your existing permission model
Role inheritance: MCP tools inherit the same permissions as the Luciq dashboard - no separate MCP-specific roles
Admin control: Workspace admins manage access through standard Luciq team settings
If you're seeing "App not found" or missing data, check with your workspace admin to verify your permissions.
Security Overview
Transport
HTTPS (TLS 1.2+), Streamable HTTP protocol
Authentication
OAuth 2.0 with Dynamic Client Registration (recommended) or token-based
Authorization
RBAC - inherits your Luciq workspace permissions
Data access
Read-only - all current tools are read-only
Source code
No source code is accessed, transmitted, or stored
Audit logging
All MCP tool calls are logged for compliance and auditing
Data residency
Data stays within your Luciq workspace region
What Data Does MCP Access?
MCP tools query the same observability data available in your Luciq dashboard:
Crash reports, stack traces, and occurrence data
App hang / freeze reports
User-reported bug reports (submitted via the Luciq SDK)
App store reviews and ratings
Application metadata (names, platforms, environments)
MCP does not access:
Source code or repository contents
User PII beyond what's already in crash/bug reports (email, device info)
SDK configuration or integration settings
Billing or account information
Clustered Tenants
If your organization uses a dedicated Luciq cluster, your MCP endpoint URL may differ from the default. Contact your Luciq admin or reach out to [email protected] for your cluster-specific endpoint.
Enterprise & Compliance
For enterprise security reviews, compliance questionnaires, or custom deployment requirements, contact [email protected].
Last updated