Who touched your MCP server. And what they did.
Granular roles. Machine identities. Time-bound access. Nobody gets more than the job requires. Enforced by the Vinkius.
System roles. Custom roles. Your call.
Start with built-in roles that cover 90% of use cases. When they don't fit, clone and customize - down to individual permissions.
System Roles
Owner, Admin, Member, Viewer - four roles that cover 90% of organizations. Each with a predefined permission set tuned to real-world access patterns.
Custom Roles
Clone any system role and modify individual permissions. Need a "Deployer" who can push servers but not manage billing? Create it in two clicks.
Project-Scoped Binding
Roles are bound per-project. An admin in Project A can be a viewer in Project B. No global escalation. Permissions follow the namespace.
Machines need identity too.
CI/CD pipelines, automation scripts, and external services all need access to your MCP servers. Service accounts give them identity without sharing human credentials.
API Key Authentication
Generate scoped API keys for automation. Each key inherits a role binding and is restricted to specific projects. Revoke instantly without affecting human users.
OIDC Federation
Trust external identity providers for machine-to-machine auth. GitHub Actions, GitLab CI, or any OIDC-compatible system can authenticate without storing secrets.
Automatic Rotation
Set expiration policies on API keys and service account tokens. Forced rotation on a schedule you define. Expired credentials are rejected immediately.
Full Attribution
Every API call from a service account is logged with the account identity, timestamp, action, and target resource. No anonymous machine access.
Group people. Then forget about them.
Assign roles to teams instead of individuals. When someone joins the team, they get the right permissions automatically. When they leave, access disappears. No residual privileges.
Visible Teams
Discoverable by all organization members. Anyone can see who belongs to the team and what projects they have access to. Ideal for cross-functional collaboration.
Secret Teams
Hidden from non-members. Only team members and organization admins can see the team exists. Use for security-sensitive projects or pre-release initiatives.
AI agents never stop.
MCP Servers need Vinkius.
Autonomous agents don't sleep. Every tool call hits a hardened isolation perimeter - cryptographic lockfiles, zero-trust RBAC, and hard execution quotas enforced at the payload level. No wrappers. Titanium-grade governance for autonomous compute.