MCP — scopes
What each scope unlocks, which scopes most users want, and how to mint a token from /settings/mcp.
A bichito MCP token carries one or more scopes — each scope grants a specific subset of operations. The token's holder (your AI assistant) can only do what the scopes allow.
Scope across hives
Every MCP token has a hive binding chosen at mint time — picked in /me/settings/mcp under "Scope across hives":
- All hives (default for single-hive users): the token can act on every hive you own. Same as the legacy behaviour. Use this when one AI tool drives all your projects.
- Just this hive: the token can only see and mutate resources inside the chosen hive. Cross-hive list calls return only that hive's rows; cross-hive lookups by id return 404. A leaked token doesn't reach your other hives.
Hive binding is immutable — to change which hive a token sees, revoke + re-mint. The active-tokens list shows a badge per row ("All hives" or the hive name) so you can tell at a glance what each token can do.
If you have multiple hives (e.g. one per client project), prefer hive-scoped tokens — fewer concurrent surface areas an attacker can hit if a single AI tool gets compromised.
Catalogue
| Scope | Unlocks |
|---|---|
read:bugs | List and read bichitos. |
write:bugs | Mark resolved / spam, assign, set status & severity, comment, attach/detach labels to bugs. |
read:honeycombs | List honeycombs (projects). |
write:honeycombs | Create or update honeycombs. |
read:teams | Read team-level stats (get_stats). |
read:labels | List the team's label catalogue. |
write:labels | Create, rename, recolor and delete labels. |
The mapping from scope to MCP tool is in the Tools reference — every tool's "Required scope" line.
Common combinations
- Read-only triage helper →
read:bugs+read:honeycombs+read:labels+read:teams. The AI can answer questions about your inbox without changing anything. - Full triage → add
write:bugs. The AI can resolve, mark spam, comment, set status / severity, and (de)tag bichitos. - Label admin → add
write:labels. The AI can also create and rename the label catalogue. - Project setup → add
write:honeycombs. The AI can create new honeycombs (rare; usually you do this from the dashboard).
The default selection in /settings/mcp covers the read scopes — opt into writes deliberately.
Minting a token from the dashboard
- Open
/settings/mcp. - Pick a name (mandatory — helps you spot the token in the active list later, e.g. "Claude Code laptop").
- Use the Quick set chips (
Read-only/Full access/Clear) or hand-pick scopes per resource. - Click Generate token.
- Copy the
mcp_…plaintext immediately — we hash it before storing, so once you leave the modal, only the prefix is recoverable. - Paste it into your AI tool's config as
BICHITO_MCP_TOKEN.
Revoking a token
Same /settings/mcp page lists your active tokens (with last-used time). Hit Revoke to invalidate immediately — the token stops working on the next request. There is no un-revoke; if a token is revoked by mistake, mint a new one.
Scope changes on existing tokens
There is no "edit scopes" endpoint. To change what a token can do, revoke + re-mint. This is intentional: keeping scopes immutable means a token's capability is fixed for its lifetime, which is easier to reason about for audit purposes.