Docs · Guide

Connect an AI agent

Give Claude Code, Cursor, or any MCP client a scoped token and it can find, claim, and move tickets on your boards — with one deliberate guardrail: an agent can’t mark work shipped unless you explicitly grant it.

Before you start

You need a Tickhatch account with at least one board you own or can edit, and an agent that speaks MCP — Claude Code, Cursor, or any client that supports the streamable HTTP transport with custom headers. There’s nothing to install on the Tickhatch side.

Mint a token

  1. 1

    Open Settings → Agent access

    In Tickhatch, open Settings (from the dashboard header) and find the Agent access section.

  2. 2

    Name it and pick a scope

    Name the token after the agent that will hold it — claude-code, cursor — so the audit trail reads well. Pick an Access level: Read, Write, or Write + ship (see Scopes below — Write is the right default). Optionally pin it to one Board: a pinned token can’t see or touch anything else. Leave it on All boards to let the agent roam.

  3. 3

    Create the token and copy it

    Press Create token and copy the tkh_… value into your agent’s config.

    Heads up
    The raw token is shown once — Tickhatch stores only a SHA-256 hash, so it can’t be recovered later. If you lose it (or an agent leaks it), revoke it in Settings → Agent access and mint a new one.

Add it to your agent

Tickhatch speaks MCP over streamable HTTP at https://tickhatch.com/api/mcp, with the token in a standard Bearer header.

Claude Code

One command, run anywhere:

Terminal
claude mcp add --transport http tickhatch https://tickhatch.com/api/mcp --header "Authorization: Bearer tkh_YOUR_TOKEN"

Cursor

Add the server to your project’s MCP config:

.cursor/mcp.json
{
  "mcpServers": {
    "tickhatch": {
      "url": "https://tickhatch.com/api/mcp",
      "headers": {
        "Authorization": "Bearer tkh_YOUR_TOKEN"
      }
    }
  }
}

Any other MCP client

Anything that supports MCP’s streamable HTTP transport with custom headers works the same way: point it at https://tickhatch.com/api/mcp and send Authorization: Bearer tkh_YOUR_TOKEN on every request.

Tip
To smoke-test the connection, ask the agent to call list_projects — it returns the boards the token can reach, and nothing else.

Scopes

Every token carries one of three access levels:

Scope — each level includes the one above it

  • readlook, don’t touch: list boards, read tickets, comments, and linked PRs
  • writeeverything read can, plus claim, create, comment, and move tickets to any status except In Production
  • shipeverything write can, plus move tickets to In Production

The gap between write and ship is deliberate. An agent can plan, claim, build, and hand work over for testing — but marking something shipped stays with a merged PR or a human. Give agents Write by default and reserve Write + ship for the rare agent that genuinely deploys. A few rails hold regardless of scope: a Read token calling any write tool is told “This token is read-only.”, a token never exceeds your own role on a board (a board you can only view answers writes with “You have read-only access to KEY.”), and every call is audited and rate-limited to 60 requests per minute per token.

What agents can do

Ten tools, small on purpose — enough to run the whole New → In Progress → Testing loop without handing over the keys to everything:

Tools — the agent’s full surface

  • list_projectsList the boards this token can access.
  • board_summaryTicket counts per status column for a board (cheap orientation).
  • list_ticketsList tickets on a board (slim rows). Optional status/priority/tag filters.
  • get_ticketFull detail for one ticket: description, tags, linked PRs, comments.
  • next_ticketThe single best unclaimed ticket to work on next (priority-sorted), with full detail.
  • claim_ticketClaim a ticket: assign it to you and move it to In Progress. Fails if already claimed.
  • move_ticketMove a ticket to a status: new | in_progress | testing | in_production. (In Production needs a ship-scoped token.)
  • create_ticketCreate a ticket on a board.
  • commentAdd a progress note to a ticket.
  • release_ticketUnclaim a ticket you’re assigned (e.g. when blocked).

A loop that works

The tools are shaped for a simple, safe working rhythm:

  1. next_ticket hands back the single best unclaimed ticket, full detail included.
  2. claim_ticket assigns it and moves New → In Progress. If someone (or some agent) got there first, the claim fails cleanly — just ask for the next ticket again.
  3. Do the work.
  4. comment progress along the way, so the board tells the story.
  5. move_ticket to testing when it’s ready for eyes.

If the agent gets stuck, release_ticket puts the ticket back in the pool for someone else. And the last hop stays out of the agent’s hands: a human — or a merged pull request via GitHub auto-ship — moves it to In Production.

Troubleshooting

The agent gets a 401 (“Unauthorized”).

The token didn’t resolve: it was revoked, it’s past its expiry, it’s mistyped, or the Authorization header is missing. Every request needs “Authorization: Bearer tkh_…” — check the header made it into your client config, then mint a fresh token from Settings → Agent access if in doubt. Tokens are checked on every call, so a revoked token fails immediately.

move_ticket fails with “This token can’t move tickets to In Production — merge a PR, or use a ship-scoped token.”

Working as designed — that’s the guardrail, not a bug. A Write token can move tickets between any statuses except In Production. Either link a pull request and let the merge ship the ticket (see the GitHub guide), or — if this agent genuinely deploys — mint it a Write + ship token.

list_projects only shows one board.

The token was pinned to a board when it was minted, so that board is all it can see or touch — asking for any other board key fails with “No board "KEY" you can access.” Mint a token with Board left on All boards if the agent needs a wider view.

The agent hits “Rate limit: 60 requests/minute per token. Slow down.”

Each token gets 60 tool calls per rolling minute, and every call counts. That’s plenty for working tickets and far too little for constant polling — have the agent orient with board_summary instead of re-listing everything, and settle into one ticket at a time.

Should my agents share one token?

No — mint one per agent and name it after the agent. Revoking one then doesn’t cut off the others, the rate limit isn’t shared, and the audit trail actually tells you which agent did what.

How do I revoke a token?

Settings → Agent access → Revoke, next to the token. It takes effect on the very next request. There’s no way to view a token again after minting — Tickhatch stores only a SHA-256 hash — so if one leaks, revoke it and mint a replacement.

More guides