Connecting a client
Mint a personal access token and connect Claude Code, Codex CLI, or Gemini CLI to P4A's hosted MCP server.
Before you connect: mint a token
- Open Settings in the dashboard and create a token from the Personal Access Tokens card — see Creating a token.
- Choose the scopes the client needs:
api:read— search the catalog, read docs, list your deployments, connections, submissions, and workspaces.api:write— submit and deploy policies, rename and delete connections, create and manage workspaces. Only grant this to a client you want acting on your behalf.
- Copy the token value when it's shown — it's displayed once and never again.
Pick the narrowest scope set that covers your use. A client that only browses the catalog needs api:read alone.
Connecting your client
In every example below, replace the token placeholder with the value you copied. Prefer supplying the token through an environment variable over pasting it into a file that might be committed to source control.
The endpoint is https://www.p4a.dev/mcp (or your environment's portal origin with /mcp appended) — see Overview for the transport details.
Claude Code
Add the server from the command line:
claude mcp add --transport http p4a https://www.p4a.dev/mcp \
--header "Authorization: Bearer YOUR_TOKEN"Or add it to your .mcp.json (project scope) directly:
{
"mcpServers": {
"p4a": {
"type": "http",
"url": "https://www.p4a.dev/mcp",
"headers": {
"Authorization": "Bearer YOUR_TOKEN"
}
}
}
}Codex CLI
Codex connects to streamable HTTP MCP servers natively. Add a block to ~/.codex/config.toml, sourcing the token from an environment variable rather than embedding it:
[mcp_servers.p4a]
url = "https://www.p4a.dev/mcp"
bearer_token_env_var = "P4A_TOKEN"Then export the token in your shell before running Codex:
export P4A_TOKEN="YOUR_TOKEN"Gemini CLI
Add the server to your .gemini/settings.json. For a streamable HTTP endpoint the key is httpUrl, and custom headers go under headers:
{
"mcpServers": {
"p4a": {
"httpUrl": "https://www.p4a.dev/mcp",
"headers": {
"Authorization": "Bearer YOUR_TOKEN"
}
}
}
}Other clients
Any client that speaks streamable HTTP MCP works the same way: point it at https://www.p4a.dev/mcp and send the Authorization: Bearer <token> header. Consult your client's documentation for where it stores remote MCP server config.
Security notes
- A token acts as you, within its scopes. Treat it like a password — don't paste it into shared chats or commit it to a repository.
- Give a client the narrowest scopes it needs. A read-only assistant never needs
api:write. - If a token leaks, revoke it immediately from the Personal Access Tokens card; any client using it stops working at once. See Revoking a token.
Next steps
- What the client can do — the read, documentation, and write tools available once connected.
- Personal access tokens — token scopes, expiry, and revocation.