Authentication

The Probo MCP Server uses Bearer token authentication. Generate a token from your Probo instance and include it in the Authorization header.

How It Works

1. Generate an API token from your Probo instance
2. Add the token to your MCP client configuration
3. The token is sent via the Authorization header with each request

Generating API Tokens

1. Log into your Probo web interface
2. Navigate to Settings → API Tokens
3. Click “Generate New Token”
4. Give your token a descriptive name
5. Copy the token immediately

Configuration

HTTP Header Format

The token must be sent with every request using the Authorization header:

Authorization: Bearer your_api_token_here

MCP Client Configuration

Add the token to your MCP client configuration:

{
  "mcpServers": {
    "probo": {
      "url": "https://your-probo-instance.com/api/mcp/v1",
      "headers": {
        "Authorization": "Bearer your_api_token_here"
      }
    }
  }
}

Using Environment Variables

For better security, store tokens in environment variables:

Configuration file:

{
  "mcpServers": {
    "probo": {
      "url": "https://your-probo-instance.com/api/mcp/v1",
      "headers": {
        "Authorization": "Bearer ${PROBO_API_TOKEN}"
      }
    }
  }
}

Environment:

export PROBO_API_TOKEN="your_api_token_here"

Token Permissions

Inherited Permissions

API tokens inherit the permissions of the user who created them:

• Organization Access: Tokens can only access organizations you have permission to view
• Role-Based Access: Your role (admin, member, viewer) determines what operations you can perform
• Scope Limitations: Tokens have the same access level as the user account

Read vs Write Operations

Tools are categorized by their operation type:

Read-Only Tools:

• listOrganizations, listVendors, listPeople
• getRisk, getMeasure, getFramework
• All list* and get* operations

Write Tools:

• addVendor, updateVendor
• addRisk, updateRisk
• All add* and update* operations

Users with viewer roles can only use read-only tools.

Token Management

Viewing Active Tokens

See all your active tokens in Settings → API Tokens:

• Token name and description
• Creation date
• Last used timestamp
• Usage statistics

Revoking Tokens

Immediately disable a token:

1. Go to Settings → API Tokens
2. Find the token to revoke
3. Click “Revoke”
4. Confirm the action

Revoked tokens cannot be restored - you’ll need to create a new one.

Rotating Tokens

To rotate a token without service interruption:

1. Generate a new token with a different name
2. Update your configurations to use the new token
3. Test the new token to ensure it works
4. Revoke the old token once migration is complete

Security Best Practices

Storage

• Do: Store tokens in environment variables or secure secret management systems
• Do: Use configuration management tools (e.g., HashiCorp Vault, AWS Secrets Manager)
• Don’t: Commit tokens to version control
• Don’t: Share tokens in chat messages or emails
• Don’t: Store tokens in plain text files

Transmission

• Do: Always use HTTPS in production environments
• Do: Verify SSL/TLS certificates
• Don’t: Use HTTP for production traffic
• Don’t: Disable certificate verification

Token Lifecycle

• Do: Rotate tokens regularly (every 90 days recommended)
• Do: Revoke tokens immediately if compromised
• Do: Create separate tokens for different environments (dev, staging, prod)
• Do: Use descriptive names to track token usage
• Don’t: Reuse tokens across multiple applications
• Don’t: Keep inactive tokens enabled

Monitoring

• Do: Review API access logs regularly
• Do: Monitor for unusual token usage patterns
• Do: Set up alerts for failed authentication attempts
• Do: Track which tokens are being used actively

Troubleshooting

Authentication Failed

Error: 401 Unauthorized

Possible causes:

• Token is invalid or has been revoked
• Token is missing from the request
• Wrong token format in the Authorization header

Solutions:

1. Verify the token is correct
2. Check the Authorization header format: Bearer YOUR_TOKEN
3. Generate a new token if the old one was revoked
4. Ensure there are no extra spaces or newlines in the token

Permission Denied

Error: 403 Forbidden

Possible causes:

• Token doesn’t have permission for the requested operation
• Organization access is restricted
• User role doesn’t allow the operation

Solutions:

1. Verify your user role in the organization
2. Check if the organization ID is correct
3. Ensure you’re using a write tool with appropriate permissions
4. Contact your organization admin for access

Token Not Found

Error: Token not appearing in API calls

Possible causes:

• Environment variable not set correctly
• Configuration file not loaded
• MCP client not reading headers

Solutions:

1. Verify environment variable is exported: echo $PROBO_API_TOKEN
2. Check configuration file syntax is valid JSON
3. Restart your MCP client after configuration changes
4. Check MCP client logs for configuration errors

Testing Authentication

Using curl

Test your token with curl:

curl -H "Authorization: Bearer YOUR_TOKEN" \
     -H "Content-Type: application/json" \
     https://your-probo-instance.com/api/mcp/v1/health

Expected response:

{
  "status": "ok"
}

Using MCP Client

Test within your MCP client:

You: "List all organizations I have access to"

AI: [Uses listOrganizations tool]

If authentication works, you’ll see your organizations. If it fails, you’ll see an error message.

Security Considerations

Token Exposure

If a token is exposed:

1. Revoke immediately in Settings → API Tokens
2. Generate a new token with a different name
3. Update all configurations with the new token
4. Review access logs for unauthorized usage
5. Investigate how the exposure occurred