Skip to main content
Lucent exposes a read-only Model Context Protocol server so any MCP-compatible client — Claude Code, Cursor, Claude Desktop, Windsurf — can query your organization’s signals, issues, and insights directly. The server runs at https://app.lucenthq.com/api/mcp and uses static bearer tokens minted from your org settings. Read-only: agents can list and fetch data, never write or mutate.

1. Create a token

1

Open Organization settings

Sign in to the Lucent dashboard, then open Organization settingsMCP.
2

Click Create token

Give the token a name so you can identify it later (e.g. my laptop, cursor-prod). Names are free text up to 64 characters.
3

Copy the plaintext token

The token is shown once in a dialog that starts with luc_mcp_….
This is the only time the plaintext is visible. Lucent stores a SHA-256 hash, not the original token. If you lose it, revoke it and create a new one.

2. Configure your client

The UI auto-fills the snippets below with your real token until you navigate away — copy whichever one matches your client.
Register the server once for the current project:
claude mcp add --transport http lucent https://app.lucenthq.com/api/mcp \
  --header "Authorization: Bearer luc_mcp_..."
Claude Code stores this in ~/.claude.json and sends the bearer header on every request. Run /mcp inside Claude Code to confirm the connection and list the tools.

3. Try a tool

Once the client is connected, ask your agent a question that needs your Lucent data. A few prompts that exercise each tool:
  • “What are my most critical unresolved issues right now?”list_issues
  • “Show me issue 87b3a6b6-5af5-438b-a39c-eff148a68ccb.”get_issue
  • “What signals have I configured and which are matching most?”list_signals
  • “Summarize the last week of insights.”list_insights
See the tool reference for the full set of arguments and return shapes.

Security model

  • 192-bit token entropy. Generated from a CSPRNG, encoded with base64url. Prefixed with luc_mcp_ so you can spot them in configs.
  • SHA-256 hashed at rest. The plaintext is never stored on disk or in logs — only the hex digest.
  • Organization-scoped. Every tool query compiles to WHERE org_id = ? where the org_id comes exclusively from your token’s auth context. There is no way for a client to override it.
  • Instant revocation. Revoking a token in the dashboard sets revoked_at; the next request returns 401 immediately.
  • Read-only. The MCP server exposes no write tools. Agents cannot create, update, or delete data in your org.
  • Per-token usage timestamps. The Last used column in the dashboard shows when each token was most recently active. If you see unexpected activity, revoke and rotate.

Troubleshooting

Your client likely couldn’t reach the OAuth discovery endpoint. Confirm you can GET https://app.lucenthq.com/.well-known/oauth-protected-resource and it returns valid JSON (not an HTML page). If it’s blocked by a corporate proxy, add an exception.
Check that your client is sending the Authorization: Bearer ... header and that the token wasn’t revoked in the dashboard. Token comparison is exact — no trailing whitespace, and the full luc_mcp_ prefix is required.
The streamable HTTP transport is the only supported transport. If your client is trying to fall back to legacy SSE (/api/sse or /api/message), upgrade to a client that supports streamable HTTP or use mcp-remote as a proxy.
The plaintext is only visible once, at creation time. Revoke the token in Organization settings → MCP and create a new one.