You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
API Tokens: optional per-module permission scopes. An admin can restrict a token to individual modules and access levels (<module>:read / <module>:write, where write implies read) instead of granting the creator's full access. This matters most for tokens handed to an off-device AI/MCP client — for example a token that may write the calendar but can never read the health module. Tokens created without scopes keep full role-based access, so existing tokens are unaffected.
Security
API Tokens: scoped tokens are enforced across both the REST API and the MCP endpoint. A scoped token can only reach modules on its allow-list — every other /api/v1 path is denied, tools/list hides MCP tools the token cannot use, out-of-scope tools/call is refused, and the OpenAPI bridge inherits the same limits because it loops back through the REST layer with the same token.