{"componentChunkName":"component---src-templates-simple-markdown-js","path":"/docs/mcp/best-practices/","matchPath":"","result":{"data":{"markdownRemark":{"html":"<h1 style=\"position:relative;\"><a href=\"#best-practices\" aria-label=\"best practices permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a><div class=\"hidden-anchor\" id=\"best-practices\"></div>Best Practices</h1>\n<h2 style=\"position:relative;\"><a href=\"#use-a-dedicated-integration-user\" aria-label=\"use a dedicated integration user permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a><div class=\"hidden-anchor\" id=\"use-a-dedicated-integration-user\"></div>Use a Dedicated Integration User</h2>\n<p>For any non-personal or production use of the Shipwell MCP Server, create a dedicated integration user in the Shipwell platform rather than using a personal user's API token. This gives you explicit control over what the AI can and cannot do, independent of any individual's account.</p>\n<h3 style=\"position:relative;\"><a href=\"#steps\" aria-label=\"steps permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a><div class=\"hidden-anchor\" id=\"steps\"></div>Steps</h3>\n<p><strong>1. Create an integration user in Shipwell</strong></p>\n<p>In the Shipwell app, go to <strong>Settings → Users</strong> and create a new user account specifically for this integration. Use a name that makes the purpose clear, e.g. <code class=\"language-text\">mcp-integration</code> or <code class=\"language-text\">ai-agent</code>.</p>\n<p><strong>2. Set permissions on that user</strong></p>\n<p>Assign the user only the Shipwell platform permissions it needs. The MCP server can only do what the underlying user is permitted to do in the Shipwell app — if the integration user cannot edit shipments, the AI cannot edit them through MCP either.</p>\n<p>Start with read-only permissions and only expand them once you are confident in the agent's behavior. See <a href=\"/docs/mcp/safety/\">Safety &#x26; Write Access</a> for more on dry-run mode and the write access tier.</p>\n<p><strong>3. Generate an API token for the integration user</strong></p>\n<p>Log in as the integration user and go to <strong>Settings → API Management</strong> to generate a token.</p>\n<p><strong>4. Use that token in your MCP config</strong></p>\n<p>Supply the integration user's token in the <code class=\"language-text\">Authorization</code> header of your MCP server config — not your personal token. See the <a href=\"/docs/mcp/quickstart/\">Quickstart</a> for the config format for each AI client.</p>\n<h3 style=\"position:relative;\"><a href=\"#why-this-matters\" aria-label=\"why this matters permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a><div class=\"hidden-anchor\" id=\"why-this-matters\"></div>Why This Matters</h3>\n<ul>\n<li>\n<strong>Least privilege</strong>\n — the AI only has the permissions you have explicitly granted, not the full permissions of whoever set it up\n</li>\n<li>\n<strong>Auditability</strong>\n — API calls and actions in Shipwell logs are attributed to the integration user, making it easy to review what the AI did\n</li>\n<li>\n<strong>Safe rotation</strong>\n — you can revoke or rotate the integration token without affecting any individual's access\n</li>\n<li>\n<strong>Shared team use</strong>\n — multiple team members or AI clients can share the integration token without tying access to one person's account\n</li>\n</ul>","headings":[{"value":"Best Practices","depth":1},{"value":"Use a Dedicated Integration User","depth":2},{"value":"Steps","depth":3},{"value":"Why This Matters","depth":3}]},"contentItem":{"data":{"lastModified":"2026-05-14T19:02:55.000Z","enableToc":null,"disableLastModified":null,"tocMaxDepth":null,"requestLogin":false}},"siteConfig":{"enableToc":true,"disableLastModified":false,"tocMaxDepth":4}},"pageContext":{"matchPath":"","id":"246c0038-049b-5698-b168-4efd926e6c89__redocly content/docs/mcp/best-practices/","seo":{"title":"Best Practices","description":null,"image":"","keywords":null,"jsonLd":null,"lang":null,"siteUrl":null},"pageId":"docs/mcp/best-practices.md","pageBaseUrl":"/docs/mcp/best-practices","type":"markdown","toc":{"enable":true,"maxDepth":4,"headings":[{"depth":1,"value":"Best Practices","id":"best-practices"},{"depth":2,"value":"Use a Dedicated Integration User","id":"use-a-dedicated-integration-user"},{"depth":3,"value":"Steps","id":"steps"},{"depth":3,"value":"Why This Matters","id":"why-this-matters"}]},"data":{"title":""},"catalogInfo":null,"link":"/docs/mcp/best-practices/","sidebarName":"developerPortal","isLanding":false,"showPrevButton":null,"showNextButton":null,"apiVersions":null,"apiVersionId":null,"isDefaultApiVersion":null}},"staticQueryHashes":["1123603147","1302185487","1344209882","1398840060","1520077861","1975142765","2667623876","2950305614","3240152602","3743992808","561138138"]}