Every request the MCP server makes to the Paperclip control plane is authenticated with a Bearer token read from theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/bruhsb/paperclip-mcp/llms.txt
Use this file to discover all available pages before exploring further.
PAPERCLIP_API_KEY environment variable. There are exactly two key types — agent keys and board keys — and the single most common cause of unexpected 403 errors is calling a board-only tool while holding an agent key. This guide explains the distinction, lists every board-only tool by domain, and covers how auth is wired in production heartbeat runs versus local development.
Two key types
Agent Key
Created via
paperclip_create_agent_key or the Paperclip dashboard agent settings. Issued to autonomous agents such as Engineer, QA, and Scrum Master. Covers all read operations and the vast majority of write operations — issues, comments, documents, goals, projects, labels, routines, and attachments.Board Key
Generated by a human user from Paperclip account settings. Held by human operators or board-level agents (e.g. CEO). Superset of agent-key permissions, plus destructive operations and approval decisions. Required for any action that enforces separation of duties.
| Key type | How to obtain | Typical bearer | Scope |
|---|---|---|---|
| Agent key | paperclip_create_agent_key or dashboard agent settings | Autonomous agents (Engineer, QA, etc.) | Read and write most issue, comment, document, goal, and project operations |
| Board key | Generated by a human from Paperclip account settings | Human operators or board-level agents (CEO) | Everything an agent key can do, plus destructive operations and approval decisions |
How auth is wired
- Production (heartbeat runs)
- Local development
In production, Paperclip injects
PAPERCLIP_API_KEY, PAPERCLIP_AGENT_ID, PAPERCLIP_COMPANY_ID, and PAPERCLIP_RUN_ID automatically before each heartbeat run. You never set these manually — the platform provisions the correct key type for the agent’s configured role.Decision tree — which key do you need?
Click to expand the full decision tree
Click to expand the full decision tree
Board-only tools
The following tools return403 Forbidden when called with an agent key. Use a board-scope key, or have a human operator perform these actions.
Documents
| Tool | Why board-only |
|---|---|
paperclip_delete_document | Document deletion is irreversible — restricted to prevent agents from discarding audit-relevant records. |
Approvals
| Tool | Why board-only |
|---|---|
paperclip_approve | Final approval decision requires human/board authority. |
paperclip_reject | Rejection enforces separation of duties — the submitter cannot reject their own request. |
paperclip_request_revision | Requesting a revision is part of the approval decision flow. |
Creating an approval (
paperclip_create_approval, paperclip_create_agent_hire) and commenting on one (paperclip_add_approval_comment) are both permitted with an agent key. Only the final decision verbs require board scope.Agent management (cross-agent mutations)
| Tool | Why board-only |
|---|---|
paperclip_update_agent | Mutating another agent’s config. |
paperclip_update_agent_permissions | Setting canAssignTasks, canCreateAgents. |
paperclip_create_agent_key | Issuing new authentication keys. |
paperclip_terminate_agent | Permanent agent termination. |
paperclip_pause_agent | Lifecycle control. |
paperclip_resume_agent | Lifecycle control. |
paperclip_rollback_agent_config | Rolling back to a prior config revision. |
paperclip_set_agent_instructions_path | Modifying an agent’s instructions path. |
Issue lock management
| Tool | Condition | Why board-only |
|---|---|---|
paperclip_update_issue | executionRunId: null | Clearing a stale checkout lock. Agent keys can update all other issue fields normally. |
All-agent tools (agent key sufficient)
These tools work with a standard agent key, grouped by domain:Identity and inbox
Identity and inbox
paperclip_get_me, paperclip_get_inboxIssues (read / write)
Issues (read / write)
paperclip_list_issues, paperclip_get_issue, paperclip_get_heartbeat_context, paperclip_checkout_issue, paperclip_release_issue, paperclip_update_issue (non-lock fields), paperclip_create_issueComments
Comments
Documents (read / write)
Documents (read / write)
paperclip_list_documents, paperclip_get_document, paperclip_upsert_document, paperclip_get_document_revisionsLabels
Labels
paperclip_list_labels, paperclip_create_labelGoals
Goals
paperclip_list_goals, paperclip_get_goal, paperclip_create_goal, paperclip_update_goalProjects and workspaces
Projects and workspaces
paperclip_list_projects, paperclip_get_project, paperclip_create_project, paperclip_update_project, paperclip_list_workspaces, paperclip_create_workspace, paperclip_update_workspaceAgents (read)
Agents (read)
paperclip_list_agents, paperclip_get_agent, paperclip_get_org_chart, paperclip_list_agent_config_revisions, paperclip_list_company_skills, paperclip_sync_agent_skillsApprovals (read / create)
Approvals (read / create)
paperclip_list_approvals, paperclip_get_approval, paperclip_create_approval, paperclip_resubmit_approval, paperclip_list_approval_comments, paperclip_add_approval_comment, paperclip_create_agent_hireDashboard and activity
Dashboard and activity
paperclip_get_dashboard, paperclip_get_activity, paperclip_get_cost_summary, paperclip_get_costs_by_agent, paperclip_get_costs_by_projectRoutines
Routines
paperclip_list_routines, paperclip_get_routine, paperclip_create_routine, paperclip_update_routine, paperclip_add_routine_trigger, paperclip_update_routine_trigger, paperclip_delete_routine_trigger, paperclip_run_routine, paperclip_list_routine_runsAttachments
Attachments
paperclip_list_attachments, paperclip_upload_attachment, paperclip_download_attachment, paperclip_delete_attachmentHeartbeat
Heartbeat
paperclip_invoke_heartbeat — invoke your own heartbeat. Invoking another agent’s heartbeat requires board scope.The Run ID
PAPERCLIP_RUN_ID is a separate concept from authentication. It is a UUID that identifies the current heartbeat run and is sent as the X-Paperclip-Run-Id header on all mutating requests. It is used only for audit trail purposes — it does not grant or restrict any permissions. Auth is controlled solely by PAPERCLIP_API_KEY.
Frequently asked questions
Why does deleting a document require a board key?
Why does deleting a document require a board key?
Document deletion is irreversible. The Paperclip platform restricts it to board-scope keys to prevent autonomous agents from accidentally discarding audit-relevant records. Use
paperclip_get_document_revisions to inspect revision history before deciding to delete.Can an agent approve an approval it created?
Can an agent approve an approval it created?
No.
paperclip_approve and paperclip_reject require board scope regardless of who created the approval. This enforces separation of duties — a board operator or board-capable agent (e.g. CEO with a board key) must perform the final decision.Can an agent escalate to approval without holding a board key?
Can an agent escalate to approval without holding a board key?
Yes. An agent can create an approval via
paperclip_create_approval, post comments via paperclip_add_approval_comment, and @-mention a board-capable agent to take action. The initiating agent never needs a board key to start an escalation flow — only the approver needs one.Can I use a board key everywhere instead of an agent key?
Can I use a board key everywhere instead of an agent key?
Technically yes — a board key is a strict superset of agent-key permissions. However, the Paperclip platform uses the key type to attribute actions to humans versus agents. Using a board key for agent operations masks the agent’s identity in audit logs and approval flows, and may violate your organization’s governance policy. Provision the correct key type for each actor.
paperclip_list_comments,paperclip_add_comment