AI and MCP Access
Connect approved AI clients to CapitalOS with personal API keys and existing organization permissions.
What this module does
CapitalOS MCP access lets eligible users connect supported AI clients to CapitalOS tools. The settings area can create a personal API key, show setup instructions for common clients, list existing keys, display creation and last-used information, and revoke a key that should no longer work.
MCP access does not create a separate permission system. The connected client operates with the account, organization, module, and role boundaries of the user who created the key.
When to use it
Use MCP when you want an approved AI client to help inspect or work with CapitalOS through the available tools. Current setup examples cover Claude Code, Claude Desktop, Codex CLI, Cursor, and Windsurf.
Do not create a shared team key. Each eligible user should create and manage their own key so access remains attributable and can be revoked independently.
How it fits into CapitalOS
MCP settings are part of the personal account area. Availability depends on organization role and subscription plan: the current interface enables qualified owner or administrator access for Foundation, Operator, and Enterprise plans, while Starter is shown as unavailable.
The key authenticates the user, while CapitalOS continues to enforce downstream organization and module permissions on available operations.
Main concepts
- MCP: the protocol used by a compatible AI client to discover and call CapitalOS tools.
- Personal API key: a secret credential owned by the user who created it.
- Key label: a recognizable name for the client or purpose of the key.
- One-time display: the full secret is shown when created and cannot be retrieved later from the list.
- Client configuration: the server address and credential placement required by a supported AI client.
- Last used: information that helps identify active or unused credentials.
- Revocation: permanent invalidation of a selected key.
Typical workflow
- Confirm that you are an owner or administrator in an eligible organization.
- Open personal account settings and select MCP.
- Create a key with a label that identifies the client and device.
- Copy the secret immediately and store it in an approved password or secrets manager.
- Follow the setup snippet for the chosen AI client.
- Test access with a low-risk, read-only request and confirm the expected organization scope.
- Review the key list and last-used information periodically.
- Revoke keys for retired devices, unused clients, or suspected exposure.
Permissions and prerequisites
You need a qualified organization role and plan. Your AI client must support the provided MCP connection method. Never paste the secret into chat, tickets, source control, screenshots, or shared documents.
Treat the AI client as another interface to your account: verify the active organization, review proposed changes, and use the least access necessary. If a key is exposed, revoke it and create a replacement.
Guides planned for this module
- Check role and plan eligibility for MCP access.
- Create, label, store, and revoke a personal API key.
- Configure Claude Code and Claude Desktop.
- Configure Codex CLI.
- Configure Cursor or Windsurf.
- Validate organization scope with a read-only request.
- Respond safely to a lost or exposed key.