Remote MCP clients
Clients that can run the interactive flow should prefer
one-click OAuth. For CLI tools, self-hosted
agents, and other clients that can't, connect manually with a
plg_live_ bearer token. Either way the endpoint is the same:
https://mcp.penlog.app, JSON-RPC 2.0 over Streamable HTTP.
1. Mint a token
In the Penlog app, go to Settings → API tokens and create a token. This requires Pro. Pick the narrowest scope preset that covers what your client needs:
| Preset | Grants |
|---|---|
| Read | List, fetch, and search pages and tasks. |
| Read + Seed | Read access plus seed new tasks onto pages. |
| Full | Read, seed, and update task status (pushes to Notion). |
The token is shown once and starts with
plg_live_. Copy it then — you can't retrieve it again, only
revoke and re-mint.
2. Configure your client
Point your client at the endpoint with the token as a bearer credential. The
exact config keys vary by client; a common mcp.json shape:
{
"mcpServers": {
"penlog": {
"url": "https://mcp.penlog.app",
"headers": {
"Authorization": "Bearer plg_live_xxxxxxxxxxxxxxxx"
}
}
}
}
Some clients want an explicit transport hint (e.g.
"transport": "http") or take the URL and header via CLI flags
instead of a file. Consult your client's MCP docs for the precise shape — the
two things Penlog needs are the URL and the Authorization: Bearer
header.
3. Verify the connection
List the available tools to confirm the token is accepted:
// JSON-RPC over Streamable HTTP (POST)
curl -s https://mcp.penlog.app \
-H "Authorization: Bearer plg_live_xxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
A successful response lists the six tools. A 401 means the token
is missing/invalid; a 402 means the account isn't Pro; a
403 means the token's scope is too narrow for the tool you
called. See the error table.
Scope & revocation
A token can do exactly what its scope preset grants and nothing more — start with Read and widen only if the client needs to write. Revoke a token any time from the same Settings → API tokens screen; revocation is immediate.