What you're seeing
An external tool connected to Ceum through MCP — Claude Desktop, Cursor, or a custom client — can't authenticate. Calls that used to work start failing with permission errors.
Why it happens
The most common reasons:
- The token was revoked. Someone (possibly you, earlier) revoked the token in Integrations. Revoked tokens can't be used again — you'll need to create a new one.
- The token was never copied. When you create a token, its full value is shown only once. If you closed that dialog without copying it, the value is gone for good and can't be recovered.
- The external tool is using an old token. You created a new token in Ceum but the external tool is still configured with the previous one.
- The account was deleted. If the person who created the token deleted their account, all of their tokens went with it. Tokens belong to a single account.
- The external tool is misconfigured. It points at the wrong address or is set up the wrong way for your connection.
- The tool isn't permitted, or the record is out of scope. A token only has the tools you granted it, and a scoped token is limited to specific clients and/or projects. A call to a tool you didn't grant, or to a record outside the token's scope, is refused even though the token itself is valid — see Integrations and MCP to widen its permissions or scope.
- A scoped token sees nothing at all. Scope requires a record to match both the client and project rules. If you restricted clients to one set and projects to another that don't overlap, no record satisfies both, so everything reads as empty or "out of scope". Set one dimension back to "All", or make the two allowlists overlap.
How to fix it
- Open Integrations and find the token in the list. If it's missing or marked as revoked, it's no longer valid — create a new one.
- Copy the new token from the dialog before closing it. The value can't be retrieved later.
- Update your external tool's configuration with the new token and restart the tool.
- Check the token's last-used time on the Integrations page. After your external tool makes a call, that time should update — if it doesn't, the call isn't reaching Ceum.
- Cross-check Sessions and MCP events for any successful calls in the last hour, and compare it against your tool's own error log to find where the connection breaks down.
Tips and edge cases
- Token names stick around after revocation. Older MCP events log entries still show a revoked token's name; that's expected and doesn't mean the token still works.
- Rotate proactively if you suspect a leak. Create the new token first, switch your tool over, confirm a change goes through, then revoke the old token. That avoids a gap where neither token works.
- Read-only calls aren't logged. A token can be working fine for reads even if the MCP events log shows nothing — so an empty log doesn't mean it's broken.
- The in-app CLI is separate. The CLI command palette inside Ceum uses your own sign-in, not an MCP token, so it never fails for "token revoked" reasons.
On mobile
Not available on the mobile app — manage from the web app.