Model Context Protocol (MCP)
Connect Claude, Cursor, and any MCP client to your ThorStack workspace with a scoped, revocable API key.
What is MCP?
The Model Context Protocol is an open standard that lets AI assistants — like Claude Desktop, Claude Code, and Cursor — securely connect to external systems. ThorStack ships an MCP server so the tools you already use can talk to your workspace directly: chat with your AI workforce, pull CRM records, draft invoices, query finance data, and run workflows — all without leaving your editor or assistant.
Access is controlled by a personal MCP API key. Each key is tied to your user account, inherits your role's permissions, and can be revoked at any time.
Before you start
You need two things:
| Item | Where to find it |
|---|---|
| Your API URL | Mission Control → API Credentials → MCP Keys → Setup Instructions. For cloud tenants this is your ThorStack domain (e.g. https://your-workspace.thorstack.com). |
| An MCP API key | Create one on the same page (see below). Keys begin with mak_. |
Always use HTTPS for cloud deployments. An MCP key acts on your behalf, treat it like a password.
Create an API key
- In Mission Control, open API Credentials → MCP Keys.
- Click New key, give it a descriptive label (e.g. "Claude Desktop — laptop"), and optionally set an expiry.
- Copy the full key immediately. For security it is hashed on our side and shown only once — if you lose it, revoke it and create a new one.
Each key records its last-used time so you can spot stale or unused keys at a glance.
Connect your MCP client
Point your client at your API URL and pass the key as a bearer token. Most clients are configured with a small JSON file.
Claude Desktop — edit claude_desktop_config.json (Settings → Developer → Edit Config):
{
"mcpServers": {
"thorstack": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://your-workspace.thorstack.com",
"--header",
"Authorization: Bearer mak_your_key_here"
]
}
}
}
Cursor — add the same server under Settings → MCP → Add new server, using your API URL and an Authorization: Bearer mak_… header.
Restart the client. Your ThorStack agents and tools will appear in the assistant's tool list. Replace the URL and key with the values from your own Setup Instructions panel.
What you can do
Once connected, the assistant can, within the limits of your role:
- Talk to agents — ask the CMO agent for a campaign brief, the CFO agent for a cash-flow snapshot, etc.
- Read and write business data — CRM contacts and deals, finance records, workspace tasks, and more.
- Trigger workflows — kick off a DAG workflow, with approval gates still enforced for sensitive actions.
Permissions are never widened by MCP: a key can only do what its owner could do in Mission Control.
Managing keys
- Rotate regularly. Create a replacement, update your client, then revoke the old key.
- Revoke instantly. Removing a key from MCP Keys cuts off access immediately — useful if a laptop is lost.
- One key per client. Separate keys per device/tool make it easy to revoke just the one that's compromised without disrupting the others.
- Admins can review and revoke keys across the whole team from the same screen.
Security
- Keys are stored only as a bcrypt hash — ThorStack can never display a key again after creation.
- Every key inherits RBAC permissions and all activity is captured in your audit logs.
- Set an expiry on keys used for short-lived or experimental integrations.
Next
- AI workforce, the agents you'll be talking to over MCP.
- RBAC, how a key's permissions are determined.
- Audit logs, where MCP activity shows up.