MCP Permission Levels
The tools available to your AI assistant depend on your API token's permission level.
Permission Hierarchy
| Level | Can Do |
|---|---|
| Read | View data (list, get, search) |
| Write | All read + create, update, invite |
| Full | All write + delete, remove, cancel |
Tools by Permission
Read Permission
With a read-only token, your assistant can: - List users in your account - Get user details - Search for users by name or email - View account information - List invitations and their status
Example prompts: - "Show me all users in my account" - "Find users with 'smith' in their email" - "What invitations are pending?"
Write Permission
With a write token, your assistant can also: - Invite new users to your account - Update user roles (member, admin) - Update account settings - Create new invitations
Example prompts: - "Invite [email protected] as a member" - "Make [email protected] an admin" - "Update our account name to Acme Corp"
Full Permission
With a full-access token, your assistant can also: - Remove users from your account - Cancel pending invitations
Example prompts: - "Remove inactive user [email protected]" - "Cancel the invitation to [email protected]"
Choosing the Right Permission
- Use read for exploration and reporting
- Use write for managing team members
- Use full only when you need to remove users or cancel invitations
Best Practices
- Follow the principle of least privilege
- Create separate tokens for different use cases
- Use read-only tokens when possible
- Review and rotate tokens periodically