The Management API handles administrative operations for MCP server connections using two authentication methods.

OAuth 2.1 Client Credentials

Standard OAuth flow for production applications:

curl -X POST https://us-east-1clpqjbygz.auth.us-east-1.amazoncognito.com/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -u "client_id:client_secret" \
  -d "grant_type=client_credentials&scope=mgmt.read+mgmt.write"

Response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "mgmt.read mgmt.write"
}

Using the token:

curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
  https://api.kambrium.com/api/v1/mcp-servers

Personal Access Tokens (PATs)

Long-lived tokens generated directly in the platform web interface for automated access and scripting scenarios.

Key Characteristics:

  • Long-lived (no expiration by default)
  • Generated via web UI rather than OAuth flow
  • Uses same JWT structure as OAuth tokens for compatibility
  • Suitable for CI/CD, automation, and development workflows

Token Claims Structure:

PAT tokens follow standard JWT structure with these key claims:

{
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_CLpqjbYgz",
  "aud": "kambrium-mcp",
  "sub": "account_id",
  "client_id": "pat_<random_string>",
  "scopes": ["mgmt.read", "mgmt.write"],
  "token_use": "access",
  "token_type": "pat",
  "mcp_server_id": 1,
  "iat": 1704067200,
  "jti": "pat_<token_identifier>"
}

Using PAT tokens:

curl -H "Authorization: Bearer <PAT_TOKEN>" \
  https://api.kambrium.com/api/v1/mcp-servers

Available Scopes

  • mgmt.read - Read MCP server configurations and status
  • mgmt.write - Create, update, and delete MCP server connections
  • mgmt.admin - Administrative operations and system management

Token Security Best Practices

OAuth Token Lifecycle

  • Tokens expire in 1 hour by default
  • Refresh tokens automatically before expiration
  • Store tokens securely in memory or secure storage

PAT Security

  • Rotate PATs regularly (recommended every 90 days)
  • Store PATs in secure credential management systems
  • Limit scope to minimum required permissions
  • Monitor PAT usage for anomalies

General Security

  • Always use HTTPS for token requests
  • Never log or expose tokens in application code
  • Implement proper error handling for authentication failures