MCP tokens are bearer credentials that let an external AI client authenticate against your VICIPanel MCP server. Each token is scoped to a single user and carries that user's permission level into every tool call.
Generating a token
Admin → MCP → Tokens → New token. You pick a name (for identification later), an expiry, and optional scope restrictions. The token is shown once and cannot be retrieved afterward, save it somewhere safe immediately.
Scope and permission
By default, a token inherits the full permission level of the user who created it. You can restrict further: read-only access, specific tool allowlist, expiry date, IP address restriction. Restrictions stack, more restrictive always wins.
Rotation
Rotate tokens at least quarterly. If a token leaks or a team member leaves, revoke immediately on Admin → MCP → Tokens. The revoked token stops working within seconds.
Audit
Every token action is logged with timestamp, tool name, parameters, and result. Review in Admin → MCP → Audit. Filter by token, user, or tool to trace any specific activity.