You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cmd.Flags().StringVar(&tokenProfilePin, "profile-pin", "", "Pin this token to a profile; it can only operate in that profile (cannot switch via set_profile or /mcp/p/<other>)")
Copy file name to clipboardExpand all lines: docs/features/agent-tokens.md
+33Lines changed: 33 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -176,6 +176,38 @@ Server scoping is enforced at two levels:
176
176
1.**Tool discovery** (`retrieve_tools`) — only returns tools from allowed servers
177
177
2.**Tool execution** (`call_tool_*`) — blocks calls to out-of-scope servers
178
178
179
+
## Profile Pinning
180
+
181
+
A [profile](./profiles.md) scopes tool discovery and calls to a named subset of upstream servers. With `--profile-pin`, you can **bind a token to a single profile** so it can never operate outside it — regardless of the URL it connects to or any `set_profile` call it makes.
182
+
183
+
```bash
184
+
# This token can ONLY ever see/use the "research" profile
185
+
mcpproxy token create \
186
+
--name research-agent \
187
+
--servers "*" \
188
+
--permissions read \
189
+
--profile-pin research
190
+
```
191
+
192
+
Server-side enforcement (no client cooperation required):
193
+
194
+
-**`set_profile("other")` is rejected** — a pinned token cannot switch its session to a different profile (switching to its own pinned profile, or clearing, is allowed).
195
+
-**`/mcp/p/<other>` returns `403`** — connecting to any profile URL other than the pinned one is forbidden; the pinned profile's own URL works.
196
+
-**The pin is the highest-precedence resolver source**, above an explicit `/mcp/p/<slug>` URL scope and above a session `set_profile` selection.
197
+
198
+
Resolution precedence (highest wins):
199
+
200
+
```
201
+
1. agent-token profile_pin (server-enforced; this section)
202
+
2. /mcp/p/<slug> URL scope (per-request override)
203
+
3. set_profile session state (base /mcp endpoint default for the session)
204
+
4. none (no profile filtering — all allowed servers)
205
+
```
206
+
207
+
**Validation & config changes**: the pinned slug must name a configured profile at creation time (creation is rejected otherwise). If the profile is later removed from the configuration, requests are **warn-skipped** rather than hard-failed — the pin still blocks switching away, so the token can never silently widen its scope, but profile filtering falls through to the next precedence tier. Pinning composes with server scoping and permission tiers: a request must satisfy **all** of them.
208
+
209
+
The pin is shown by `token list` (PROFILE PIN column) and `token show` (Profile Pin field), and is preserved across `token regenerate`.
0 commit comments