API Tokens

Create an FSProtect API token and use it to connect MCP-compatible tools.

API Tokens for MCP Tools

FSProtect API tokens let you authenticate external tools without sharing your username and password. Use an API token when connecting MCP-compatible clients such as Cursor, VS Code, Claude Desktop, Windsurf, JetBrains, Open WebUI, AnythingLLM, LangChain, or n8n.

Important: FSProtect only displays the full token once, immediately after creation. Copy it before closing the dialog and store it securely.

Create an API token

Sign in to FSProtect.
Open your user menu and select API Tokens.

On the API Tokens page, select Create New Token.

Enter a descriptive token name, for example Cursor MCP, Claude Desktop MCP, or Automation Client.
Optional: set Expires In (days). Leave it empty if the token should not expire.
Select Create Token.

Copy the token from the success dialog. You will not be able to view the full token again later.

Use the token with MCP clients

The FSProtect MCP endpoint is:

https://YOUR_FSPROTECT_HOST:8443/api/v1/mcp

Replace YOUR_FSPROTECT_HOST with the hostname and port used by your FSProtect deployment.

Example: VS Code

VS Code uses an mcp.json file with a top-level servers object. Use mcp-remote to connect VS Code to the FSProtect MCP endpoint.

This configuration requires Node.js 18 or higher because it runs npx mcp-remote.

Create an FSProtect API token and copy it.
Open VS Code.
Open the Command Palette and run MCP: Open User Configuration or MCP: Open Workspace Folder MCP Configuration.
Add the FSProtect MCP server configuration.
Replace YOUR_FSPROTECT_HOST with your FSProtect host, for example 127.0.0.1:8443.
Replace YOUR_TOKEN_HERE with the API token you copied from FSProtect.

{
  "servers": {
    "forestall-ispm": {
      "command": "cmd",
      "args": [
        "/c",
        "npx",
        "-y",
        "mcp-remote",
        "https://YOUR_FSPROTECT_HOST/api/v1/mcp",
        "--header",
        "Authorization: Api-Token YOUR_TOKEN_HERE",
        "--allow-http"
      ],
      "env": {
        "NODE_TLS_REJECT_UNAUTHORIZED": "0"
      }
    }
  }
}

After saving the configuration, restart or reload the MCP client in VS Code. FSProtect tools should become available through the MCP tools list.

NODE_TLS_REJECT_UNAUTHORIZED=0 allows mcp-remote to connect when FSProtect uses a self-signed certificate. Remove this environment variable when FSProtect uses a trusted CA-signed certificate.

Manage existing tokens

The API Tokens page shows each token's name, prefix, creation date, expiration date, last used date, and status. The full token value is never shown again after creation.

To disable a token, select the delete action in the token list and confirm the revocation. Revoked tokens can no longer authenticate API or MCP requests.

Troubleshooting

Problem

What to check

The API Tokens page is not visible

Confirm your role includes the ManageApiTokens permission.

The MCP client returns unauthorized errors

Confirm the header is exactly Authorization: Api-Token YOUR_TOKEN_HERE.

VS Code shows TypeError: fetch failed

Confirm YOUR_FSPROTECT_HOST was replaced with the real host. If curl only works with -k, use the VS Code mcp-remote configuration or install a trusted FSProtect certificate.

The token no longer works

Check whether the token was revoked or expired.

The client cannot connect over HTTPS

Confirm the FSProtect URL is correct. If using a self-signed certificate with mcp-remote, keep NODE_TLS_REJECT_UNAUTHORIZED=0.

The full token is missing from the list

This is expected. FSProtect only shows the full token once during creation.

PreviousUser Settings NextLDAP

Last updated 6 days ago

Was this helpful?