Add MCP token type

MarceloRGonc · MarceloRGonc · commit 7247c10eea51 · 2025-11-27T11:24:59.000Z
diff --git a/packages/server/api/src/app/ai/mcp/openops-tools.ts b/packages/server/api/src/app/ai/mcp/openops-tools.ts
@@ -11,6 +11,7 @@ import fs from 'fs/promises';
 import { OpenAPI } from 'openapi-types';
 import os from 'os';
 import path from 'path';
+import { accessTokenManager } from '../../authentication/context/access-token-manager';
 import { MCPTool } from './types';
 
 const INCLUDED_PATHS: Record<string, string[]> = {
@@ -68,7 +69,7 @@ async function getOpenApiSchemaPath(app: FastifyInstance): Promise<string> {
 
 export async function getOpenOpsTools(
   app: FastifyInstance,
-  authToken: string,
+  userAuthToken: string,
 ): Promise<MCPTool> {
   const basePath = system.getOrThrow<string>(
     AppSystemProp.OPENOPS_MCP_SERVER_PATH,
@@ -79,13 +80,15 @@ export async function getOpenOpsTools(
 
   const tempSchemaPath = await getOpenApiSchemaPath(app);
 
+  const mcpToken = await accessTokenManager.generateMCPToken(userAuthToken);
+
   const openopsClient = await experimental_createMCPClient({
     transport: new Experimental_StdioMCPTransport({
       command: pythonPath,
       args: [serverPath],
       env: {
         OPENAPI_SCHEMA_PATH: tempSchemaPath,
-        AUTH_TOKEN: authToken,
+        AUTH_TOKEN: mcpToken,
         API_BASE_URL: networkUtls.getInternalApiUrl(),
         OPENOPS_MCP_SERVER_PATH: basePath,
         LOGZIO_TOKEN: system.get<string>(SharedSystemProp.LOGZIO_TOKEN) ?? '',
diff --git a/packages/server/api/src/app/authentication/context/access-token-manager.ts b/packages/server/api/src/app/authentication/context/access-token-manager.ts
@@ -31,6 +31,24 @@ export const accessTokenManager = {
     });
   },
 
+  async generateMCPToken(
+    userToken: string,
+    expiresInSeconds: number = openOpsRefreshTokenLifetimeSeconds,
+  ): Promise<string> {
+    const principal = await this.extractPrincipal(userToken);
+
+    const secret = await jwtUtils.getJwtSecret();
+
+    return jwtUtils.sign({
+      payload: {
+        ...principal,
+        token: PrincipalType.MCP,
+      },
+      key: secret,
+      expiresInSeconds,
+    });
+  },
+
   async generateEngineToken({
     executionCorrelationId,
     projectId,
diff --git a/packages/shared/src/lib/authentication/model/principal-type.ts b/packages/shared/src/lib/authentication/model/principal-type.ts
@@ -1,4 +1,5 @@
 export enum PrincipalType {
+  MCP = 'MCP',
   USER = 'USER',
   ENGINE = 'ENGINE',
   SERVICE = 'SERVICE',

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`export enum PrincipalType {`
	`2`	`+ MCP = 'MCP',`
`2`	`3`	`USER = 'USER',`
`3`	`4`	`ENGINE = 'ENGINE',`
`4`	`5`	`SERVICE = 'SERVICE',`