MCP token rotation Secure procedure with 24h overlap

Rotate the MCP bearer token without breaking active client connections. The procedure supports a 24h overlap window during which both the old and the new token are accepted.

When to rotate

  • Departure of an admin who had access to the token (mandatory within 24h).
  • Token suspected leaked (laptop loss, screenshot shared, etc.) — emergency rotation, no overlap.
  • Periodic hygiene: rotate every 90 days by default.
  • Compliance audit (SOC 2, ISO 27001) requesting evidence of credential rotation.

Standard procedure with 24h overlap

  1. 1

    Open the admin UI

    Navigate to Settings → Security → MCP tokens.

  2. 2

    Generate a new token

    Click Generate new token. The new token is displayed once. Copy it immediately to your password manager.

  3. 3

    Enable 24h overlap

    Tick Keep previous token valid for 24h. Both tokens are accepted during this window.

  4. 4

    Update your clients

    Update claude_desktop_config.json, Cursor MCP settings, Claude Code MCP server entry. Restart each client.

  5. 5

    Monitor connections

    In Settings → Security → MCP tokens → Activity, verify that all client IPs have authenticated with the new token. Investigate any IP still using the previous token after 12h.

  6. 6

    Revoke the old token

    After the 24h window, the old token is auto-revoked. You can force the revocation earlier from the UI if all clients are migrated.

Emergency rotation (no overlap)

When a token leak is suspected, accept the breakage of active client sessions and revoke immediately:

  1. Generate a new token (step 2 above).
  2. Untick Keep previous token valid for 24h.
  3. Click Revoke previous token immediately.
  4. Propagate the new token to your clients (Claude Desktop, Cursor, Claude Code).
  5. Audit the MCP access log for the past 30 days to identify any suspicious use.