council

API Tokens

One token format, every server-to-server entrypoint. MCP and the @zcouncil/cli bridge both accept the same zcouncil API token.

Create

Create a new API token. Name it for the machine ("MacBook", "GitHub Actions"). Copy the plaintext — it shows once and is unrecoverable after.

Use

http
Authorization: Bearer dc_...

Pass it on https://api.zcouncil.com/mcp and to zcouncil bridge start. Same token format, same scope.

Manage

The list shows name, prefix, and last-used time. Delete revokes immediately — any session using that token disconnects on the next request.

Lost a token? Delete and recreate. There's no way to see plaintext after the create dialog closes.

Optional: expiration

The apiTokens:createToken Convex action accepts an optional expiresInMs field that isn't yet surfaced in the Settings UI:

  • expiresInMs — auto-revoke after this many milliseconds. The token starts returning 401 Token expired once createdAt + expiresInMs passes. Useful for CI tokens, time-boxed scripts, and rotation policies.

Defaults to "forever" — existing tokens are unchanged.

Tips

  • One token per machine. Rotation doesn't disrupt the others.
  • Don't commit tokens to git.
  • Anyone holding a token can spend your usage. Treat it like a password.