Remote MCP clients

Clients that can run the interactive flow should prefer one-click OAuth. For CLI tools, self-hosted agents, and other clients that can't, connect manually with a plg_live_ bearer token. Either way the endpoint is the same: https://mcp.penlog.app, JSON-RPC 2.0 over Streamable HTTP.

1. Mint a token

In the Penlog app, go to Settings → API tokens and create a token. This requires Pro. Pick the narrowest scope preset that covers what your client needs:

PresetGrants
Read List, fetch, and search pages and tasks.
Read + Seed Read access plus seed new tasks onto pages.
Full Read, seed, and update task status (pushes to Notion).

The token is shown once and starts with plg_live_. Copy it then — you can't retrieve it again, only revoke and re-mint.

2. Configure your client

Point your client at the endpoint with the token as a bearer credential. The exact config keys vary by client; a common mcp.json shape:

{
  "mcpServers": {
    "penlog": {
      "url": "https://mcp.penlog.app",
      "headers": {
        "Authorization": "Bearer plg_live_xxxxxxxxxxxxxxxx"
      }
    }
  }
}

Some clients want an explicit transport hint (e.g. "transport": "http") or take the URL and header via CLI flags instead of a file. Consult your client's MCP docs for the precise shape — the two things Penlog needs are the URL and the Authorization: Bearer header.

3. Verify the connection

List the available tools to confirm the token is accepted:

// JSON-RPC over Streamable HTTP (POST)
curl -s https://mcp.penlog.app \
  -H "Authorization: Bearer plg_live_xxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

A successful response lists the six tools. A 401 means the token is missing/invalid; a 402 means the account isn't Pro; a 403 means the token's scope is too narrow for the tool you called. See the error table.

Scope & revocation

A token can do exactly what its scope preset grants and nothing more — start with Read and widen only if the client needs to write. Revoke a token any time from the same Settings → API tokens screen; revocation is immediate.