API tokens
Personal access tokens for MCP and git — scopes, creation, revocation.
Personal API tokens (sf_…) authenticate everything programmatic: the MCP
server and git over HTTPS.
Create a token
- Open Settings → API & MCP access.
- Press New token, name it, pick a scope and (optionally) an expiry.
- Copy the token — it is shown exactly once. Only a SHA-256 hash is stored.
Scopes
| Scope | Allows |
|---|---|
read | MCP search/read, git clone and git pull |
write | Everything in read, plus creating/updating lists and git push |
Using tokens
- MCP — HTTP header:
Authorization: Bearer sf_… - git — the token is the password; username can be anything:
git clone https://anything:[email protected]/you/your-list.gitHygiene
- Prefer
readscope for agents that only need lookup. - Set expiry dates for tokens used in CI or shared environments.
- Revoke unused tokens on the same settings page — revocation is immediate.
- Every token action lands in the audit log.