# Personal Access Tokens

<figure><img src="/files/zZ1PaOPOj2sdc0pf15am" alt=""><figcaption></figcaption></figure>

Personal access tokens (PATs) let you connect MCP clients to Jam without going through the OAuth flow. Instead of authorizing through a browser, you create a token in your Jam settings and paste it directly into your MCP client configuration.

Each token is scoped to a specific team, tied to your user account, and has a mandatory expiration date.

***

## Creating a token

1. Go to **Settings** > **Integrations** > **AI Agents**
2. Scroll to the **Personal Access Tokens** section
3. Click **Create token**
4. Fill in the details:
   * **Name** — A label to identify the token (e.g., "Cursor" or "Claude Code")
   * **Expiration** — How long the token is valid: 7 days, 30 days, 90 days, or 1 year
   * **Scopes** — The permissions the token needs (see [Scopes](#scopes) below)
5. Click **Create**
6. Copy your token immediately — **you won't be able to see it again**

{% hint style="warning" %}
Store your token securely. Treat it like a password. Jam only stores a hash of the token, so there is no way to retrieve it after creation.
{% endhint %}

***

## Using a token with MCP clients

Use your PAT as a Bearer token when configuring MCP clients. Below are examples for popular clients.

### Claude Code

In your terminal:

```bash
claude mcp add Jam https://mcp.jam.dev/mcp \
  -t http \
  -s user \
  --header "Authorization: Bearer jam_pat_..."
```

### Cursor

Add to your MCP configuration:

```json
{
  "mcpServers": {
    "Jam": {
      "url": "https://mcp.jam.dev/mcp",
      "headers": {
        "Authorization": "Bearer jam_pat_..."
      }
    }
  }
}
```

### VS Code / Windsurf

Add to your `mcp.json`:

```json
{
  "servers": {
    "Jam": {
      "type": "http",
      "url": "https://mcp.jam.dev/mcp",
      "headers": {
        "Authorization": "Bearer jam_pat_..."
      }
    }
  }
}
```

{% hint style="info" %}
PATs skip the OAuth browser authorization step entirely. This makes them ideal for headless environments or CI pipelines.
{% endhint %}

***

## Scopes

Scopes control what the token can do. Select only the scopes you need.

| Scope       | Description                                          |
| ----------- | ---------------------------------------------------- |
| `mcp:read`  | View Jam details, logs, events, and network requests |
| `mcp:write` | Move Jams to folders and add comments                |

{% hint style="info" %}
You must select at least one scope when creating a token.
{% endhint %}

***

## Managing tokens

### Viewing your tokens

Go to **Settings** > **Integrations** > **AI Agents** to see all your personal access tokens for the current team. The list shows each token's name, scopes, last used date, and expiration status.

### Revoking a token

1. Find the token in your token list
2. Click the **...** menu on the right
3. Select **Revoke token**
4. Confirm the revocation

{% hint style="danger" %}
Revoking a token is permanent. Any MCP client using the token will immediately lose access.
{% endhint %}

***

## Expiration

All tokens have a mandatory expiration date. When creating a token, choose from:

* **7 days** — For short-lived tasks or testing
* **30 days** — For active development work
* **90 days** — For longer-running integrations
* **1 year** — For stable, long-term integrations

Expired tokens stop working automatically. Create a new token when one expires and update your MCP client configuration.

***

## Security best practices

* **Use short-lived tokens** — Choose the shortest expiration that works for your use case
* **Limit scopes** — Only grant the permissions the token actually needs
* **Never commit tokens** — Store tokens in environment variables or your MCP client's secure credential storage, not in files checked into version control
* **One token per client** — Create separate tokens for each MCP client so you can revoke them independently
* **Revoke immediately if compromised** — If a token may have been exposed, revoke it right away and create a replacement

***

## Token format

Jam PATs follow a recognizable format:

```
jam_pat_<random-characters>
```

The `jam_pat_` prefix makes it easy to identify Jam tokens in your configuration and helps secret scanners detect accidental exposure.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jam.dev/docs/debug-a-jam/mcp/personal-access-tokens.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.