API Access & Tokens

AIPM can be driven by automated agents and scripts over its REST API and MCP tool surface, both authenticated with revocable, scope-limited bearer tokens.

Access surfaces

AIPM exposes its functionality over three surfaces. Choose the one that matches who—or what—is doing the work:

Both programmatic surfaces—the REST API and MCP—are authenticated with bearer tokens. The web UI uses interactive sign-in instead.

Bearer tokens

A bearer token is a long-lived credential that a caller presents on every request in an HTTP header:

Scoping a token

A token does not have to carry full access. It can be scope-limited so an automated agent receives only the narrow authority it needs—for example, restricted to certain operations or to specific projects—rather than the keys to everything.

Separation of duties still applies

Authenticating with a token does not let a caller step around AIPM's maker / checker / approver controls:

Read-only mode, TLS, and the audit trail

Good practice