# Authenticating with a personal access token

> Personal access tokens (PATs) are user-scoped tokens with a configurable lifetime (up to one year). They are useful when you need a longer-lived token than [interactive login](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/authenticating-with-interactive-login) provides, or when you cannot run `uipath auth` interactively but still need to authenticate as a user.

Personal access tokens (PATs) are user-scoped tokens with a configurable lifetime (up to one year). They are useful when you need a longer-lived token than [interactive login](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/authenticating-with-interactive-login) provides, or when you cannot run `uipath auth` interactively but still need to authenticate as a user.

When you create a PAT, you must select permissions from the **Orchestrator API Access** resource that cover the MCP operations you need.

## Prerequisites

* You have the **Automation User**, **Automation Developer**, or **Folder Administrator** role in the folder containing the MCP Server. These roles include the `MCPServers.View` permission.

## Generate a personal access token

1. Go to UiPath, select your user icon, then select **Preferences**.
2. Navigate to **Personal access token** and select **Generate new token**.
3. Enter a name and an expiration date.
4. Under **Scopes**, select the following permissions from the **Orchestrator API Access** resource:

   * `OR.Execution`: required for listing tools. MCP Servers calls the Orchestrator `ListReleases` API to resolve process metadata, and that endpoint requires this scope.
   * `OR.Jobs`: required for executing tools. All MCP Server types that run processes as tools (UiPath, Coded, and Command) call the Orchestrator `StartJobs` API, which requires this scope.

5. Select **Save** and copy the token immediately.

   :::important
   The token is shown only once. If you do not copy it now, you must generate a new token.
   :::

## Result

The token is now available for use in the `Authorization` header of HTTP requests to the MCP Server.

## Use the personal access token

To call an MCP Server with the token:

```shell
curl -X POST "https://cloud.uipath.com/{org}/{tenant}/agenthub_/mcp/{folderKey}/{slug}" \
  -H "Authorization: Bearer <your-PAT>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"initialize","params":{...},"id":1}'
```

## Token characteristics

* Opaque token with audience `UiPath.Orchestrator`.
* Configurable expiration (up to one year).
* Access is the intersection of the PAT scopes and the user's folder-level role permissions.
* Works with any HTTP client (cURL, Postman, MCP Inspector, custom code).

## Limitations

* PATs are tied to a specific user identity. If the user is deactivated, the PAT stops working.
* PATs can only be created by users who have interactive access to UiPath.
* Integration Service activities do not support PAT authentication. The MCP connection succeeds, but tool calls that rely on Integration Service connections fail.