P4A Documentation
MCP Server

Connecting a client

Mint a personal access token and connect Claude Code, Codex CLI, or Gemini CLI to P4A's hosted MCP server.

Before you connect: mint a token

  1. Open Settings in the dashboard and create a token from the Personal Access Tokens card — see Creating a token.
  2. Choose the scopes the client needs:
    • api:read — search the catalog, read docs, list your deployments, connections, submissions, and workspaces.
    • api:write — submit and deploy policies, rename and delete connections, create and manage workspaces. Only grant this to a client you want acting on your behalf.
  3. Copy the token value when it's shown — it's displayed once and never again.

Pick the narrowest scope set that covers your use. A client that only browses the catalog needs api:read alone.

Connecting your client

In every example below, replace the token placeholder with the value you copied. Prefer supplying the token through an environment variable over pasting it into a file that might be committed to source control.

The endpoint is https://www.p4a.dev/mcp (or your environment's portal origin with /mcp appended) — see Overview for the transport details.

Claude Code

Add the server from the command line:

claude mcp add --transport http p4a https://www.p4a.dev/mcp \
  --header "Authorization: Bearer YOUR_TOKEN"

Or add it to your .mcp.json (project scope) directly:

{
  "mcpServers": {
    "p4a": {
      "type": "http",
      "url": "https://www.p4a.dev/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_TOKEN"
      }
    }
  }
}

Codex CLI

Codex connects to streamable HTTP MCP servers natively. Add a block to ~/.codex/config.toml, sourcing the token from an environment variable rather than embedding it:

[mcp_servers.p4a]
url = "https://www.p4a.dev/mcp"
bearer_token_env_var = "P4A_TOKEN"

Then export the token in your shell before running Codex:

export P4A_TOKEN="YOUR_TOKEN"

Gemini CLI

Add the server to your .gemini/settings.json. For a streamable HTTP endpoint the key is httpUrl, and custom headers go under headers:

{
  "mcpServers": {
    "p4a": {
      "httpUrl": "https://www.p4a.dev/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_TOKEN"
      }
    }
  }
}

Other clients

Any client that speaks streamable HTTP MCP works the same way: point it at https://www.p4a.dev/mcp and send the Authorization: Bearer <token> header. Consult your client's documentation for where it stores remote MCP server config.

Security notes

  • A token acts as you, within its scopes. Treat it like a password — don't paste it into shared chats or commit it to a repository.
  • Give a client the narrowest scopes it needs. A read-only assistant never needs api:write.
  • If a token leaks, revoke it immediately from the Personal Access Tokens card; any client using it stops working at once. See Revoking a token.

Next steps

On this page