MCP Server
Authentication
API keys, scopes, and access control for the MCP server.
The MCP server authenticates with your Enhance instance using API keys. Keys are scoped to specific permissions and can be limited to individual projects.
Creating an API key
- Go to Workspace Settings > MCP
- Click Create API Key
- Copy the key immediately — it's shown only once
The key format is byg_live_<40 hex characters>. Keys are SHA-256 hashed before storage, so the raw key cannot be retrieved after creation.
Scopes
API keys use granular scopes to control which operations are permitted:
| Scope | Description |
|---|---|
search:read | Search code, knowledge base, and issues |
issues:read | List and read issues |
issues:write | Create and update issues |
code:read | Read codebase maps and file contents |
wiki:read | List and read wiki pages |
wiki:write | Create and update wiki pages |
dev_plans:read | List and read dev plan documents |
dev_plans:write | Create and update dev plan documents |
Default scopes
Keys created from the workspace settings UI include: search:read, issues:read, code:read, wiki:read.
Keys created from project settings include all scopes (read and write).
Project scoping
Keys can be:
- Workspace-scoped — Access all projects in the workspace
- Project-scoped — Access only specific projects
Project-scoped keys are created from the project settings page and automatically limit access to that project's data.
Key management
- Revoke — Disabled keys are immediately rejected by the API
- Rotate — Create a new key, update your IDE config, then revoke the old key
- Audit — All API key usage is logged with timestamps
Security best practices
- Use project-scoped keys when possible (principle of least privilege)
- Rotate keys periodically
- Don't commit keys to version control — use environment variables or
.enhance.json(gitignored) - Revoke keys immediately if compromised