Pharos OverviewMCP Integration GuideAPI ReferenceAuthenticationDeployment Guide

Authentication

Bearer token setup, permission levels, and token management for Pharos.

Bearer Tokens

Pharos uses bearer token authentication. Every request must include an Authorization header:

curl -s -X POST .../mcp/tools/schema_search \
  -H "Authorization: Bearer $PHAROS_TOKEN" \
  -d '{"query": "customer"}'

Tokens are issued by your Pharos administrator and stored as environment variables. Never hardcode tokens in scripts or commit them to version control.

Permission Levels

Each token is assigned a permission level:

| Level | Read | Write | Schema | Admin | |-------|------|-------|--------|-------| | read-only | Yes | No | Yes | No | | read-write | Yes | Yes | Yes | No | | admin | Yes | Yes | Yes | Yes |

  • read-only: Can query all data and explore schemas. Cannot modify any data. Recommended for dashboards, reporting, and exploration.
  • read-write: Can query and write data (labour posting, inventory adjustments, etc.). All writes go through a confirmation gate. Recommended for operations staff.
  • admin: Full access including token management and configuration. Restricted to IT administrators.

Environment Setup

Set your token as an environment variable:

# Linux/macOS
export PHAROS_TOKEN="your-token-here"

# Or add to your shell profile
echo 'export PHAROS_TOKEN="your-token-here"' >> ~/.bashrc

For Claude Desktop, add the token to your MCP configuration:

{
  "mcpServers": {
    "pharos": {
      "env": {
        "PHAROS_TOKEN": "your-token-here"
      }
    }
  }
}

Token Rotation

Tokens should be rotated periodically. The recommended schedule:

  • read-only tokens: Every 90 days
  • read-write tokens: Every 30 days
  • admin tokens: Every 14 days

To rotate a token, generate a new one via the admin API, update your environment variables, and revoke the old token. Active sessions using the old token will be terminated.

Security Best Practices

  • Use read-only tokens wherever possible
  • Grant read-write access only to users who need to post transactions
  • Never share tokens between users; issue one per person/service
  • Monitor token usage through the admin audit log
  • Revoke tokens immediately when team members leave or roles change

We use cookies to understand how visitors interact with our site.