For Coda Enterprise only: Manage how org members connect to the Coda MCP, including disabling MCP connections entirely.
As an Enterprise org admin, you have control over how members of your organization can connect to the Coda MCP. The AI and MCP controls section of your admin settings lets you manage access to different authentication methods - so you can align MCP connectivity with your organization's security policies.
MCP: Personal access tokens
A personal access token (PAT) is an authentication method that allows members to connect to the Coda MCP via internal apps, scripts, or custom integrations. Unlike OAuth, PATs are long-lived credentials that members generate and manage themselves.
Because PATs offer persistent access without requiring re-authentication, they are best suited for technical users building internal tooling. If most members in your org connect to the MCP through standard AI tools like Claude or Cursor, OAuth is likely the more appropriate method for them - and you therefore may want to restrict PAT access accordingly.
Update your PAT access setting
If you're an org admin on an Enterprise plan, follow these steps:
- Go to coda.io/docs
- In the left panel, click on the three-dot menu next to your workspace name, then select Admin settings
- Search for - or scroll to - MCP (within the Security section), then select the MCP controls page
- Under Personal access token, select your preferred access level (see Access options below)
- Click Confirm to confirm the change
Changes take effect immediately. If you choose to restrict access, any existing tokens will be blocked from using the MCP. This means that any users who have already connected to the MCP using PATs will have their MCP requests fail. We therefore suggest notifying your org members of this change.
Note that restricting access in this way blocks existing tokens rather than revoking them entirely. Therefore, if you later lift the restrictions, those existing MCP connections will be automatically restored. If you instead wish to permanently revoke the MCP tokens, you can do so via the Admin API.
Access options
Org admins can choose from three settings for MCP personal access token access:
- Allow for all members: Any member of your org can generate and use a personal access token to connect to the MCP.
- Allow for selected members: Only specific members you designate can use PAT-based authentication. If you choose this option, you will be directed to a new PAT member management page, where you can add and remove members as needed.
- Allow for no members: PAT-based authentication is disabled for all members in your org.
FAQs
What's the difference between PAT and OAuth for MCP access?
Personal access tokens are manually generated credentials, best suited for members connecting to the MCP through scripts, internal tools, or custom integrations. OAuth is the recommended method for most members, as it uses a standard login flow and doesn't require managing long-lived credentials. You can configure each authentication method independently in your admin settings.
If I restrict PAT access, will members currently using a PAT lose access immediately?
Yes - if you restict PAT access, any members who have already connected to the Coda MCP using tokens will automatically lose access.
If I later choose to restore access to PATs, will previously-created tokens begin to work again?
Changing the access rules for PATs simply blocks any existing tokens. Therefore, unless you explicitly revoked the tokens using Coda's Admin API, these existing tokens will be unblocked when you restore access.
Can I allow PAT access for only certain members of my org?
Yes. Selecting Allow for selected members lets you restrict PAT access to a specific subset of your org. You will then manage who does and doesn't have access via the PAT member management tab of your admin settings.
Does this setting affect OAuth access?
No. The PAT controls only affect connecting to the MCP via personal access tokens.