Managing connected applications

Every time you complete the OAuth consent flow for a new MCP client, Primitive records a connected application against your user. You can review and revoke those connections from the dashboard.

View your connected applications

Open the Primitive dashboard and navigate to Settings → Connected applications.

You'll see a list of every MCP client that holds an active OAuth grant for your account, including:

The client name (e.g., Claude Code, Cursor, ChatGPT)
The scopes it was granted (mcp:read, mcp:write)
When it was first authorized
When it was last used

Revoke access

Click Revoke next to any connected application to invalidate its tokens server-side.

After revocation:

Every Primitive MCP request validates the bearer token against the database, so the next tool call from the revoked client returns HTTP 401. A revoked token cannot successfully invoke tools.
A well-behaved client should detect the 401, prompt you to reconnect, and walk through the OAuth flow again.
Some clients hold a stale in-memory copy of the token and may not notice the revocation until they make a request — they might display a connected state or fail with confusing errors instead of prompting to reconnect. Force-quit and reopen the client to clear that state and re-run the OAuth flow.

What revoke does not do

Revoking a client does not undo prior actions taken with mcp:write tools. If an agent already cancelled a job run or deleted a file before you revoked, those changes stand.

For destructive actions in particular, prefer requiring human confirmation on every mcp:write call rather than relying on after-the-fact revocation. See Security best practices.

When to revoke

You're rotating out of a client you no longer use.
The client looks suspicious in your authorization list (you don't recognize it, or the scope set is broader than expected).
The client device was lost or compromised.
You suspect prompt injection or exfiltration through an agent context.

If you can't access the dashboard but need to revoke immediately, contact hello@primitive.tech.

View your connected applications

Open the Primitive dashboard and navigate to Settings → Connected applications.

You'll see a list of every MCP client that holds an active OAuth grant for your account, including:

The client name (e.g., Claude Code, Cursor, ChatGPT)

The scopes it was granted (mcp:read, mcp:write)

When it was first authorized

When it was last used

Revoke access

Click Revoke next to any connected application to invalidate its tokens server-side.

After revocation:

Every Primitive MCP request validates the bearer token against the database, so the next tool call from the revoked client returns HTTP 401. A revoked token cannot successfully invoke tools.

A well-behaved client should detect the 401, prompt you to reconnect, and walk through the OAuth flow again.

Some clients hold a stale in-memory copy of the token and may not notice the revocation until they make a request — they might display a connected state or fail with confusing errors instead of prompting to reconnect. Force-quit and reopen the client to clear that state and re-run the OAuth flow.

What revoke does not do

Revoking a client does not undo prior actions taken with mcp:write tools. If an agent already cancelled a job run or deleted a file before you revoked, those changes stand.

For destructive actions in particular, prefer requiring human confirmation on every mcp:write call rather than relying on after-the-fact revocation. See Security best practices.

When to revoke

You're rotating out of a client you no longer use.

The client looks suspicious in your authorization list (you don't recognize it, or the scope set is broader than expected).

The client device was lost or compromised.

You suspect prompt injection or exfiltration through an agent context.

If you can't access the dashboard but need to revoke immediately, contact hello@primitive.tech.