API tokens
Generate, rotate, and revoke the bearer token used by the plugin and MCP server. One token per user, shown once.
Frostbyte uses a bearer token for programmatic access via the Plugin and the MCP server. One token per user. Shown once at generation, hashed at rest, revocable any time.
Generating a token
In account settings, scroll to API token. Click Generate token. The token displays once, copy it immediately into your client (or password manager). Frostbyte stores only its SHA-256 hash, so we cannot show it to you again.
Token format: 64 hex characters, generated by crypto.randomBytes(32).toString("hex"). Treat it like a password.
Using the token
Include the token in the Authorization header of any request to MCP or the API:
Authorization: Bearer <your-token>
The Plugin handles this for you, paste the token once during install.
Revoking and rotating
To rotate, click Generate token again. The old token is replaced immediately; any existing client sessions that authenticated with the old token start failing on the next request. Update your client with the new token and you're back online.
To revoke without replacement, click Delete token. Your account no longer accepts bearer auth until you generate a new one.
There's no token-expiry mechanism in v1. Tokens are valid until you rotate or revoke.
Scope
A token grants the same access the user has, every project they're a member of, every task they can see in the UI. There are no per-project tokens or fine-grained scopes in v1; this is a deliberate simplification for the small-team use case.
If you want stricter access control (e.g. one token per integration, with scoped access), that's an Enterprise tier roadmap item.
Tier requirement
API tokens are available on all tiers, including Free. Any logged-in user can generate a token and use it to connect the plugin or authenticate to the MCP server and API.
The token requirement isn't a paid-tier gate — it's a security boundary. Universal MCP access without a token would let any signed-out user trigger actions on behalf of unrelated accounts.
What gets logged
Every request authenticated by a bearer token records the user as the actor in the Activity feed. You can see which actions came from your agent vs your browser by looking at the via field on each activity entry.
What's next
- Connect the Plugin using the token you just generated.
- Read about the MCP server for the full tool surface.
- For non-agent billing details: Plans and limits.