Table of Contents
- How Sign-In Works
- Tenant Selection
- Permission Model
- Access Categories
- When to Reconnect
- Security Tips
How Sign-In Works
When you connect the MCP server, your AI client opens a Brightidea sign-in flow. Brightidea handles your login and issues OAuth tokens that allow the MCP server to make Brightidea API requests on your behalf.
Note: The MCP server does not ask for or store your Brightidea password.
Tenant Selection
Some Brightidea users belong to more than one tenant. If Brightidea returns multiple available tenants, the sign-in flow will ask you to choose which tenant to use for this MCP connection. Each MCP session is bound to the selected tenant — this prevents requests intended for one tenant from being applied to another.
Permission Model
The MCP server follows your existing Brightidea permissions exactly:
- If you can view a campaign in Brightidea, MCP read tools can generally use that access.
- If you cannot view a campaign, MCP will not expose that campaign's data.
- Write, admin, delete, and bulk actions require the same Brightidea role access that would be required in the Brightidea application.
- Reconnecting the MCP server does not grant additional Brightidea roles.
Access Categories
The MCP server supports these access categories:
| Category | What It Allows |
|---|---|
| Read | Search, summarize, inspect, and report on accessible Brightidea data. |
| Write | Create or update supported Brightidea records. |
| Admin | Perform supported administrative workflows when your role allows it. |
| Delete | Delete supported records when your role allows it. |
| Bulk | Perform supported actions across multiple ideas or records. |
Your AI client may show some or all of these categories during connection or tool approval.
When to Reconnect
Reconnect the MCP server when:
- Your client says the Brightidea connection has expired.
- You changed your Brightidea password or account settings.
- Your Brightidea tenant access changed and the client still shows old access.
- A local development server was restarted while using in-memory OAuth state.
Note: Do not reconnect repeatedly to fix a permission error. A 403 Forbidden error means your Brightidea account does not have the required role for that action — reconnecting won't change that.
Security Tips
- Sign in only through the Brightidea-hosted OAuth page.
- Do not paste passwords, MFA codes, API keys, or client secrets into chat.
- Review write and bulk action previews before approving changes.
- Disconnect the MCP server from your AI client if you no longer need access.
Related Articles
- Data Accessed by Brightidea MCP
- Use Brightidea MCP Safely
- Troubleshoot Brightidea MCP Connections
Comments