> ## Documentation Index
> Fetch the complete documentation index at: https://openworklabs.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Mint MCP access token

> Mints an org-scoped MCP access token for the caller's active organization so first-party clients can connect to the Den MCP server without a separate browser OAuth flow.



## OpenAPI

````yaml /openapi.json post /v1/mcp/token
openapi: 3.1.0
info:
  title: Den API
  description: >-
    OpenAPI spec for the Den control plane API.


    Authentication:

    - Use `Authorization: Bearer <session-token>` for user-authenticated routes
    that require a Den session.

    - Use `x-api-key: <den-api-key>` for API-key-authenticated routes that
    accept organization API keys.

    - Public routes like health and documentation do not require authentication.


    Swagger tip: use the security schemes in the Authorize dialog to set either
    `bearerAuth` or `denApiKey` before trying protected endpoints.
  version: dev
servers: []
security: []
tags:
  - name: System
    description: Service health and operational routes.
  - name: Organizations
    description: Top-level organization creation and context routes.
  - name: Invitations
    description: Invitation preview, acceptance, creation, and cancellation routes.
  - name: API Keys
    description: Organization API key management routes.
  - name: SCIM
    description: Organization SCIM connector management routes.
  - name: SSO
    description: Organization single sign-on connector management routes.
  - name: Members
    description: Organization member management routes.
  - name: Roles
    description: Organization custom role management routes.
  - name: Teams
    description: Organization team management routes.
  - name: Templates
    description: Organization shared template routes.
  - name: LLM Providers
    description: Organization LLM provider catalog, configuration, and access routes.
  - name: Skills
    description: Organization skill authoring and sharing routes.
  - name: Skill Hubs
    description: Organization skill hub management and access routes.
  - name: Workers
    description: Worker lifecycle, billing, and runtime routes.
  - name: Worker Runtime
    description: Worker runtime inspection and upgrade routes.
  - name: Worker Activity
    description: Worker heartbeat and activity reporting routes.
  - name: Telemetry
    description: Telemetry event ingestion and adoption analytics.
  - name: Admin
    description: Administrative reporting routes.
  - name: Users
    description: Current user and membership routes.
  - name: Bootstrap
    description: Agent-first provisional workspace setup routes.
paths:
  /v1/mcp/token:
    post:
      tags:
        - Authentication
      summary: Mint MCP access token
      description: >-
        Mints an org-scoped MCP access token for the caller's active
        organization so first-party clients can connect to the Den MCP server
        without a separate browser OAuth flow.
      operationId: postV1McpToken
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                scopes:
                  minItems: 1
                  type: array
                  items:
                    type: string
                    enum:
                      - mcp:read
                      - mcp:write
      responses:
        '200':
          description: MCP access token minted successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/McpTokenResponse'
        '400':
          description: The token request was invalid or no active organization is selected.
          content:
            application/json:
              schema:
                anyOf:
                  - $ref: '#/components/schemas/InvalidRequestError'
                  - $ref: '#/components/schemas/McpTokenOrganizationRequiredError'
        '401':
          description: The caller must be signed in to mint an MCP token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UnauthorizedError'
        '403':
          description: API keys cannot mint MCP tokens.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ForbiddenError'
components:
  schemas:
    McpTokenResponse:
      type: object
      properties:
        token:
          type: string
        expiresAt:
          type: string
          format: date-time
          pattern: >-
            ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
        organizationId:
          type: string
        scopes:
          type: array
          items:
            type: string
        resource:
          type: string
      required:
        - token
        - expiresAt
        - organizationId
        - scopes
        - resource
    InvalidRequestError:
      type: object
      properties:
        error:
          type: string
          const: invalid_request
        details:
          type: array
          items:
            type: object
            properties:
              message:
                type: string
              path:
                type: array
                items:
                  anyOf:
                    - type: string
                    - type: number
            required:
              - message
            additionalProperties: {}
      required:
        - error
        - details
    McpTokenOrganizationRequiredError:
      type: object
      properties:
        error:
          type: string
          const: organization_required
        message:
          type: string
      required:
        - error
        - message
    UnauthorizedError:
      type: object
      properties:
        error:
          type: string
          const: unauthorized
      required:
        - error
    ForbiddenError:
      type: object
      properties:
        error:
          type: string
          enum:
            - forbidden
            - reauth
        reason:
          type: string
        message:
          type: string
      required:
        - error

````