External integrations & MCP tokens
Where this lives: AI Agents → External integrations in your dashboard sidebar.
This page is where you let outside tools — Claude Desktop, ChatGPT desktop, n8n, Zapier, Make.com, custom scripts — talk to your Coffield.io workspace.
Think of an MCP token as a hotel keycard you cut for a specific contractor:
- It only works on the doors you check off when you cut the card (each toolset = one set of doors).
- It expires when you say it does.
- You can punch a single card without affecting any of the others.
- The card is shown to you once, at issue time. Lose it, and you cut a new one.
You do not need to know what JSON-RPC is to use this page. Each toolset card already lists the things the outside tool can do in plain English.
When should I use this page?
Shopify owners
If you are on Shopify, use this sequence first:
- Dashboard -> Integrations -> External integrations.
- Connect Shopify (OAuth).
- Install storefront widget.
This is the standard owner workflow and does not require manual theme file edits in normal cases.
| You want to… | Tool to use |
|---|---|
| Have an outside tool create leads, bookings, or workflow requests in your workspace | MCP tokens (this page) |
| Have a developer pull data into a custom dashboard or BI tool | REST API (Pro) — read-only |
| Get notified when something happens in Coffield.io | Outbound webhooks (Growth+) |
| Connect HubSpot CRM with one click | HubSpot CRM (Pro) |
| Run a recipe on demand | Workflows (Growth+) |
MCP tokens are the best fit when the outside tool is agentic — something that decides on its own which action to take next (Claude Desktop, an n8n agent node, a custom assistant). For one-off "send Slack on lead created" automations, outbound webhooks are simpler.
The six toolsets
Each card on the page is one toolset. You can grant any combination to a single token.
| Toolset | What it does | Minimum plan |
|---|---|---|
| Scheduling | Create, list, and cancel booking requests | Growth |
| Workflow | Browse workflow ideas, submit new requests, trigger existing workflow recipes, read run history | Starter (some tools require Growth — see below) |
| Knowledge | Search your assistant's active knowledge, list categories | Starter |
| Kanban | List projects, list cards, add new cards | Growth |
| Files | Browse files you have marked agent-shareable, fetch their share links | Growth |
| Training | Push new knowledge items into your assistant — as drafts pending your review | Growth |
Plain-language note: "Growth" means "Growth plan or above." Pro and Custom inherit everything Growth gets.
Locked toolsets show an amber banner with a View plans → link instead of being hidden — so you always know what upgrading would unlock.
Cutting a token (step by step)
- Go to AI Agents → External integrations.
- Scroll to the Create a token form.
- Type a name you'll recognize later (e.g. "Claude Desktop — my laptop" or "n8n — production"). This name is for you only; outside tools never see it.
- (Optional) Set an expiry. Leave it blank for "never expires" — but for tokens you give to a contractor, set a date.
- Check the toolsets this token should be allowed to use. Less is better — start with one or two and add a new token later if you need another.
- Press Create token.
- Copy the token immediately. It is shown to you exactly once. Coffield.io stores only a hash, not the token itself, so we cannot retrieve it later.
- Paste it into the outside tool's MCP configuration. Each tool has its own UI:
- Claude Desktop: Settings → Developer → Edit Config, add an entry under
mcpServerswith the toolset's endpoint URL (visible on each toolset card) andAuthorization: Bearer <your token>header. - n8n: add an MCP Client node, paste the endpoint URL and bearer token.
- Zapier / Make.com: use the generic HTTP module, POST JSON-RPC envelopes to the endpoint URL with
Authorization: Bearer ...header.
- Claude Desktop: Settings → Developer → Edit Config, add an entry under
If you forget to copy the token, revoke it and create a new one — it cannot be re-shown.
Reviewing what a token can see
The Active tokens table on the page shows you:
| Column | What it tells you |
|---|---|
| Name | Whatever you typed at creation |
| Toolsets | Comma-separated list of what this token is allowed to call |
| Last used | When an outside tool last successfully used it (helps catch unused-but-still-active tokens) |
| Created / Expires | Self-explanatory |
| Revoke | One-click kill switch |
Revoking is instant — the next request that token makes returns 401.
Compromised token? Revoke first, ask questions second. The token is dead the moment you click Revoke.
The Training toolset — operator review workflow
This is the only toolset that writes into your knowledge base, so it has the most important safety pattern in the whole system. Read this section before you grant the Training toolset to any external tool.
What outside tools can do
add_training_item— push a new knowledge item (title + content + optional summary/category).update_training_item— edit one of the drafts they previously pushed.archive_training_item— pull an item out of rotation.list_training_drafts— see what is sitting in your review queue.
What outside tools cannot do
- Activate knowledge. Every item pushed via the Training MCP lands in your workspace as a
draftwith a "system suggested" flag, and your assistant never sees it until you promote it. - Edit live knowledge. Once you promote an item, the Training MCP refuses to touch it. External tools cannot silently rewrite the answer your assistant gives.
This means even a stolen Training token cannot poison what your assistant says. The worst it can do is fill your review queue with spam — and the Revoke button takes care of that.
How to review what's been pushed
- Go to AI Agents → Agents and open the relevant agent.
- Scroll down to the What the agent knows section.
- The filter row above the table has two filters:
- Visibility — set it to Draft to see only items pending review.
- Source — set it to Pushed by external tool to see only items the Training MCP added (vs. items you typed by hand).
- The Source column shows a blue External tool badge on items pushed by the Training MCP — hover over it for a one-line warning ("Pushed by an external tool via the Training integration. Review carefully before promoting to Live.").
- Click any draft row to open the editor.
- Read it. Read it carefully. This is the moment of trust.
- If you're happy, change Make available to the agent from
DrafttoLiveand save. Your assistant will start using it within a minute. - If you don't want it, either:
- Change Make available to the agent to
Hidden— leaves an audit trail. - Delete from the row actions — removes it entirely.
- Change Make available to the agent to
Healthy review habits
- Check the draft queue at least weekly.
- If you see a flood of drafts you didn't expect, revoke the Training token first.
- The Source = Pushed by external tool filter is the fastest way to bulk-find Training-MCP items if you want to review just those.
What happens if a token is misused
Every MCP request is checked at four layers:
- Token validity — revoked or expired? 401, denied.
- Toolset scope — token tried a toolset you didn't grant? 403, denied.
- Plan tier — downgraded since you cut the token? 403 with a friendly upgrade prompt.
- Abuse guard — if a token is used more than 250 times in a single minute, it's auto-throttled to 429 (per-token, not per-IP — so rotating IPs doesn't help). If an IP fails authentication more than 10 times in an hour, the whole IP is locked out for the rest of the hour.
You don't have to configure any of this — it just runs.
The endpoint URLs (for your developer)
Each toolset card shows its endpoint, but for reference:
| Toolset | Endpoint |
|---|---|
| Scheduling | https://<your-domain>/api/agent/mcp/scheduling |
| Workflow | https://<your-domain>/api/agent/mcp/workflow |
| Knowledge | https://<your-domain>/api/agent/mcp/knowledge |
| Kanban | https://<your-domain>/api/agent/mcp/kanban |
| Files | https://<your-domain>/api/agent/mcp/files |
| Training | https://<your-domain>/api/agent/mcp/training |
All endpoints speak JSON-RPC 2.0 and support initialize, tools/list, tools/call, and ping. Any MCP-compliant client (Claude Desktop, Cursor, n8n MCP node, etc.) will detect the tools automatically.
If your developer wants the raw schema, point them at the tools/list response after authenticating — every tool's input schema is published there in JSON Schema draft-07 format.
Troubleshooting
| Symptom | What's happening | Fix |
|---|---|---|
| "Bearer token required" | The Authorization header is missing or doesn't start with Bearer |
Re-paste the token into your MCP client config |
| "Invalid token" | Token was typed/copied wrong, or you copied a token that you later revoked | Cut a new one |
| "Token has been revoked" / "Token has expired" | Self-explanatory | Cut a new one |
| "Token does not grant access to the X server" | You didn't check that toolset when creating the token | Cut a new token with the right toolsets checked, then revoke the old one |
| "Your current plan does not include the X integration" | Your plan was downgraded after the token was issued | Upgrade, or cut a new token without that toolset |
| "Suspicious burst detected" | An outside tool called this token more than 250 times in 60 seconds | Wait a minute and try again. If you didn't expect a burst, revoke and investigate the client |
| "Too many failed authentication attempts from your IP" | Something on the calling machine is firing bad requests | Wait the hour out, fix the calling tool, then try again — retrying during the lockout extends nothing |
| Training drafts never appear in the review queue | The agent picker is set to a different agent, or the Visibility filter isn't on Draft | Open the right agent / set the Visibility filter to Draft |
If you're still stuck, email support@coffield.io with the token name (never the token itself) and the toolset that's misbehaving.