Skip to main content
Preview — Token Scoping is in preview. API surface may change. Join our Discord for support and feedback.
Service tokens let you safely expose Smithery to browsers, mobile apps, and AI agents without leaking your API key. Each token carries constraints that restrict which namespaces, resources, operations, and metadata it can access. For general Smithery setup, see Connect to MCPs.

Scope a Token to a User

When your app serves multiple users, you’ll want each user’s token to only access their own connections. You do this by tagging connections with metadata (e.g., { userId: "user-123" }) when you create them, then creating a token with the same metadata constraint. The token will only be able to see connections whose metadata matches.
This token can list and call tools on connections in my-app where metadata.userId is user-123 — nothing else. Even if the client tries to access another user’s connection, the request is denied. You can also match on multiple metadata fields at once. Fields within a single metadata object are AND’d, so the token below only matches connections where both userId and tier match:

Multi-Level Access (Workspace / Org)

Real apps often have multiple access levels. For example, a user should see:
  • Their own connections
  • Connections shared with their workspace
  • Global connections configured by an admin
Pass multiple constraints in the policy array. Each constraint is an independent grant — the token can access anything that matches any of them.
The token holder sees connections matching any of the three grants. This replaces the need for separate tokens per access level.
For this to work, tag your connections with the right metadata when you create them:
  • User connections: metadata: { userId: 'user-123' }
  • Workspace connections: metadata: { workspaceId: 'ws-acme' }
  • Global connections: metadata: { scope: 'global' }

Narrow a Token

You can create a narrower token from an existing service token. The new token can only have equal or fewer permissions — it cannot exceed the parent token’s scope. This is useful when your backend holds a broad token and needs to hand out more restricted tokens per request. For example, using the multi-level token from the previous section as the starting point:
When to use this: Your backend mints one broad token at startup (e.g., all connections in a namespace). Per request, it narrows that token for the specific user or context before passing it to client code.

Operation Scoping

Control what operations a token can perform on each resource.

Read-Only Dashboard Token

Execute-Only Agent Token

Multi-Resource Token

A single token can grant access to multiple resources by passing multiple constraints in the policy array:

Constraint Reference

The policy array contains constraints — each one is a self-contained grant describing what the token can access.
Two rules govern every constraint:
  • Adding a field narrows (AND). Each field adds a condition. More fields = more restrictive.
  • Adding to a list widens (OR). Each list element adds an alternative. More elements = more permissive.
When you pass multiple constraints in the policy array, each is an independent grant. The token can access anything matching any constraint.
Metadata within a single object is AND’d: { owner: 'alice', env: 'prod' } means owner is alice and env is prod. Use a list for OR: [{ owner: 'alice' }, { env: 'prod' }] means owner is alice or env is prod.

Security Best Practices

  • Always set a TTL. Tokens expire after the TTL (max 24 hours). Shorter is better — mint fresh tokens per session.
  • Scope to the minimum needed. A token for calling tools only needs connections:execute, not connections:write.
  • Use metadata for row-level filtering. Don’t rely on connection IDs alone — metadata constraints are enforced server-side.
  • Narrow before passing to untrusted code. If you hand a token to a browser, agent, or sandbox, restrict it to the specific user and operations needed.
  • Tokens cannot mint other tokens from nothing. Only API keys or existing tokens can create tokens, and child tokens can never exceed their parent’s scope.