Connected Apps
What are Connected Apps?
Section titled “What are Connected Apps?”Connected Apps are applications that have been granted permission to access your workspace’s data and features through the OAuth 2.1 protocol. Unlike API tokens (which are generated manually), OAuth connections are established through an authorization flow where the user explicitly approves the access.
When an application connects via OAuth, the user chooses:
- Which organization to grant access to
- Which product the application can access
- Which permissions (scopes) the application receives
Accessing the Apps Tab
Section titled “Accessing the Apps Tab”- Go to the workspace configuration page (gear button in the navbar)
- Click the Apps tab
Sharing Connection Details
Section titled “Sharing Connection Details”When setting up a new application to connect to Prodgy, you need to provide it with the correct URLs and available scopes. The Share button (share icon in the top-right of the tab) opens a dialog with everything needed:
- MCP Server — the URL to use in MCP-compatible clients (Claude, Cursor, Windsurf, etc.), plus the available MCP scopes (
mcp:read,mcp:write,mcp:execute,mcp:admin) - REST API — the URL for applications that call Prodgy REST endpoints directly via OAuth bearer tokens, plus the available API scopes (
api:read,api:write,api:execute,api:admin)
Each entry has a copy button to quickly grab the URL and paste it into the third-party application.
Viewing Connected Apps
Section titled “Viewing Connected Apps”Each connected application is displayed in a table with the following information:
| Column | Description |
|---|---|
| Application | Name and website of the connected application |
| Permissions | Scopes granted to the application (color-coded by sensitivity) |
| Last used | Date and time of the last API call, plus usage count |
| Authorized at | Date and time the authorization was granted |
| Actions | Revoke button |
Understanding Permissions
Section titled “Understanding Permissions”Permissions are divided into two groups: MCP (for MCP tool access) and API (for REST API access).
| Permission | Description |
|---|---|
| MCP Read | Read data via MCP tools (work items, contacts, knowledge base) |
| MCP Write | Create and edit data via MCP tools |
| MCP Execute | Execute agents and platform actions via MCP |
| MCP Admin | Manage advanced settings via MCP (delete data, manage integrations) |
| API Read | Read data via REST API endpoints |
| API Write | Create and edit data via REST API |
| API Execute | Execute workflows, agents, and chat via REST API |
| API Admin | Delete resources and manage integrations via REST API |
Revoking Access
Section titled “Revoking Access”To revoke an application’s access:
- Find the application in the list
- Click the Revoke button
- Confirm the action in the dialog
How OAuth Differs from API Tokens
Section titled “How OAuth Differs from API Tokens”| Feature | API Tokens | OAuth Apps |
|---|---|---|
| How it’s created | Admin generates manually | Application requests, user approves |
| Expiration | Configurable or never | 1 hour (auto-renews) |
| Permissions | Full access | Granular (read, write, execute, admin) |
| Revocation | Deactivate in API Tokens tab | Revoke in Apps tab |
| User interaction | Copy/paste token | One-click authorization |
Security Considerations
Section titled “Security Considerations”- Regularly review the list of connected apps and revoke any that are no longer needed
- Pay attention to applications with Admin permissions — they can modify or delete data
- Each authorization is scoped to a single product — an application authorized for one product cannot access another
- The last used column helps identify inactive applications that can be safely revoked