# Personal Access Tokens
Personal access tokens (PATs) let you connect MCP clients to Jam without going through the OAuth flow. Instead of authorizing through a browser, you create a token in your Jam settings and paste it directly into your MCP client configuration.
Each token is scoped to a specific team, tied to your user account, and has a mandatory expiration date.
***
## Creating a token
1. Go to **Settings** > **Integrations** > **AI Agents**
2. Scroll to the **Personal Access Tokens** section
3. Click **Create token**
4. Fill in the details:
* **Name** — A label to identify the token (e.g., "Cursor" or "Claude Code")
* **Expiration** — How long the token is valid: 7 days, 30 days, 90 days, or 1 year
* **Scopes** — The permissions the token needs (see [Scopes](#scopes) below)
5. Click **Create**
6. Copy your token immediately — **you won't be able to see it again**
{% hint style="warning" %}
Store your token securely. Treat it like a password. Jam only stores a hash of the token, so there is no way to retrieve it after creation.
{% endhint %}
***
## Using a token with MCP clients
Use your PAT as a Bearer token when configuring MCP clients. Below are examples for popular clients.
### Claude Code
In your terminal:
```bash
claude mcp add Jam https://mcp.jam.dev/mcp \
-t http \
-s user \
--header "Authorization: Bearer jam_pat_..."
```
### Cursor
Add to your MCP configuration:
```json
{
"mcpServers": {
"Jam": {
"url": "https://mcp.jam.dev/mcp",
"headers": {
"Authorization": "Bearer jam_pat_..."
}
}
}
}
```
### VS Code / Windsurf
Add to your `mcp.json`:
```json
{
"servers": {
"Jam": {
"type": "http",
"url": "https://mcp.jam.dev/mcp",
"headers": {
"Authorization": "Bearer jam_pat_..."
}
}
}
}
```
{% hint style="info" %}
PATs skip the OAuth browser authorization step entirely. This makes them ideal for headless environments or CI pipelines.
{% endhint %}
***
## Scopes
Scopes control what the token can do. Select only the scopes you need.
| Scope | Description |
| ----------- | ---------------------------------------------------- |
| `mcp:read` | View Jam details, logs, events, and network requests |
| `mcp:write` | Move Jams to folders and add comments |
{% hint style="info" %}
You must select at least one scope when creating a token.
{% endhint %}
***
## Managing tokens
### Viewing your tokens
Go to **Settings** > **Integrations** > **AI Agents** to see all your personal access tokens for the current team. The list shows each token's name, scopes, last used date, and expiration status.
### Revoking a token
1. Find the token in your token list
2. Click the **...** menu on the right
3. Select **Revoke token**
4. Confirm the revocation
{% hint style="danger" %}
Revoking a token is permanent. Any MCP client using the token will immediately lose access.
{% endhint %}
***
## Expiration
All tokens have a mandatory expiration date. When creating a token, choose from:
* **7 days** — For short-lived tasks or testing
* **30 days** — For active development work
* **90 days** — For longer-running integrations
* **1 year** — For stable, long-term integrations
Expired tokens stop working automatically. Create a new token when one expires and update your MCP client configuration.
***
## Security best practices
* **Use short-lived tokens** — Choose the shortest expiration that works for your use case
* **Limit scopes** — Only grant the permissions the token actually needs
* **Never commit tokens** — Store tokens in environment variables or your MCP client's secure credential storage, not in files checked into version control
* **One token per client** — Create separate tokens for each MCP client so you can revoke them independently
* **Revoke immediately if compromised** — If a token may have been exposed, revoke it right away and create a replacement
***
## Token format
Jam PATs follow a recognizable format:
```
jam_pat_
```
The `jam_pat_` prefix makes it easy to identify Jam tokens in your configuration and helps secret scanners detect accidental exposure.
