Permissions
MCP request auth
Section titled “MCP request auth”Every public MCP request requires a valid bearer token. The auth middleware verifies:
- Token format is a Sketch PAT or Sketch OAuth access token.
- Token hash exists in
api_tokens. - Token is not revoked.
- Token is not expired.
- Token kind matches the token prefix.
- The user still exists.
Requests are rate limited by token at 60 requests per minute.
Public MCP data access
Section titled “Public MCP data access”Public MCP tools resolve the current user’s verified email addresses and filter data to files and entities visible to those emails.
- Entity search hides entities that are not backed by content the user can access.
- Entity context filters mentions to accessible files.
- File content returns “not found” when the user cannot read the file.
- Public file content is capped to 50,000 characters.
Connector permissions
Section titled “Connector permissions”Connector permissions are role- and ownership-based:
- Org-wide connectors can be viewed by the org and managed by admins.
- Per-user connectors can be viewed and managed by their owner or admins.
- Personal Canvas account rows owned by another user are filtered out, even if an upstream response incorrectly marks them as usable.
- Non-owner users cannot disconnect access-controlled Canvas accounts owned by someone else.
Agent runtime permissions
Section titled “Agent runtime permissions”The internal Sketch agent runtime uses permissionMode: "default" and routes tool calls through canUseTool. The permission callback enforces:
- The tool allowlist.
- Agent-specific allowed tools when an agent persona has one.
- Workspace-scoped file access.
- Bash command path validation.
- Image-read blocking when visual-analysis routing is required.