One site
Best default for an agent that builds, deploys, and inspects one site.
MCP Authentication
Understand how StaticX API tokens keep agent, CI, and automation access narrow, revocable, and easy to audit.
Why API tokens
Credentials that match the job, not the person.
StaticX uses scoped API tokens for MCP. They work consistently in local agents, CI jobs, unattended automation, and temporary delivery workflows.
One workspace
Use when an agent must manage several related sites for one team or client.
Global account
Reserve for trusted internal automation that genuinely needs cross-workspace access.
Lifecycle
Create narrow. Expire early. Revoke freely.
| Token name | Use a purpose, such as Cursor deploy for Olive Orbit, so future you knows why it exists. |
|---|---|
| Restriction | Choose site, workspace, or account before choosing permissions. |
| Expiry | Use the shortest practical expiry. Rotate long-running automation deliberately. |
| Secret handling | The value is shown once. Never log it, commit it, or paste it into screenshots. |
| Last used | Review last-used time before revoking stale or unexpected credentials. |
| Revocation | Revocation is immediate and does not affect deployments already published. |
Agent safety