RBAC (AI Agent)
⚡ 4 min readYour MCP server acts as a specific member encoded in TRANSCODES_TOKEN. That member’s role determines which MCP tools the agent can call and which require step-up auth.
Token = member identity
| Token field (conceptual) | Effect on agent |
|---|---|
| Organization / project | Scope of MCP data and mutations |
| Member ID | Who the agent impersonates in audit logs |
| Role permissions | Which tools are allowed vs denied |
Treat TRANSCODES_TOKEN like a password. Anyone with the token can act as that member through MCP until it is rotated.
Issuing tokens for agents
- Setup Wizard — tokens for newly registered members (Overview)
- RBAC panel — Get API Token on a member row
Use a dedicated member/role for automation (e.g. ai-operator) with the minimum permissions needed.
Resources and actions
RBAC resource keys (e.g. members:delete) align with SDK openAuthIdpModal({ resource, action }) and MCP tool policies. Define resources in the Console before agents reference them.
Full Console RBAC guide: Admin → RBAC.
Agent prompts
List all roles and their permissions.
Which members have the admin role?
Create a new member with role viewer — use step-up if required.The agent reads RBAC state via MCP; mutations go through step-up when marked verified.
Next: Step-up Auth · Audit Logs · Backup · Webhook
Last updated on