Key Features

Credentials & API Tokens

Manage OAuth client credentials and long-lived API tokens for machine and scripting access to Zeeq.

Zeeq issues two kinds of user-owned credentials under Settings > Credentials. Both are scoped to your currently active organization, so switch organizations first if you need credentials for a different org. Secrets are shown only once at creation and cannot be recovered later.

Client Credentials

Client credentials are confidential OAuth clients for machine-to-machine access. They authenticate to the OpenIddict token endpoint with a client_id and client_secret and receive a short-lived access token scoped to the mcp:tools resource.

  • Grant type: client_credentials
  • Token lifetime: ~15 minutes (no refresh token; re-authenticate at the token endpoint)
  • Scope: mcp:tools
  • Audience: the Zeeq MCP resource indicator

Create a client credential

  1. Go to Settings > Credentials and choose New credential.
  2. Enter a name (for example, CI build bot).
  3. Copy the Client ID and Client secret immediately. The secret is displayed only this once.

The creation response also includes a sample curl request you can use to test the token endpoint.

Use the credential

Exchange the client credentials for an access token at the token endpoint, then send the token as a bearer token to the MCP endpoint:

curl -X POST "$TOKEN_URL" \
  -d "grant_type=client_credentials" \
  -d "client_id=$CLIENT_ID" \
  -d "client_secret=$CLIENT_SECRET" \
  -d "scope=mcp:tools" \
  -d "resource=$RESOURCE"

curl -H "Authorization: Bearer $ACCESS_TOKEN" "$MCP_URL"

Revoke

Revoke a credential from the table. Existing tokens issued to that client stop authenticating immediately, and the credential can no longer be used.

Client credentials do not carry a user role. If a client-credential-protected route ever requires role-based authorization, that is handled separately on the backend.

API Tokens

API tokens are long-lived bearer tokens for scripting and CLI access. Unlike client credentials, they represent a specific user and are issued via a custom OpenIddict grant, so the user's org role is resolved live on each request.

  • Grant type: urn:auth:grant-type:user_token (custom; handled internally by Zeeq)
  • Default lifetime: 90 days (configurable per token up to 365 days)
  • Scope: mcp:tools
  • No refresh: the token is a direct bearer token; re-create it when it expires

Create an API token

  1. Go to Settings > Credentials and choose New token.
  2. Enter a name (for example, Local CLI).
  3. Optionally set an expiration in days (1–365). Defaults to 90 days.
  4. Copy the access token immediately. The value is displayed only this once.

Use the token

Send the token as a bearer token:

curl -H "Authorization: Bearer $ACCESS_TOKEN" "$MCP_URL"

Organization scoping

Both credential types belong to your active organization. The active org is shown in the sidebar organization menu. To create or view credentials for another organization, switch to it first — the credentials list updates to reflect the active org.

DCR clients are different

Dynamic Client Registration (DCR) clients — the public/PKCE clients created by MCP coding tools like Claude Code — are managed separately through the /connect/register OAuth flow, not from this screen. When a user who belongs to more than one organization completes a DCR flow, Zeeq prompts them to choose which organization the DCR client should be scoped to before issuing the token.