Loading documentation
Preparing the product guides and role-based operating paths.
Opening the in-product guides for onboarding, workflow decisions, and surface ownership.
Preparing the product guides and role-based operating paths.
Configure other people's LLMs, CI bots, and MCP clients to use ScanQ safely through scoped public REST and MCP access.
External agents should enter through token profiles, explicit scopes, per-agent targets, artifact access tiers, and idempotent write calls. The safest integration path is boring on purpose.
Use this order when onboarding a new external agent or MCP client.
One token profile should map to one external agent identity and one narrow job.
SCANQ_REQUIRE_AGENT_TOKEN=true
SCANQ_AGENT_TOKENS={
"partner-ci-token": {
"agent_id": "partner-ci",
"display_name": "Partner CI Agent",
"tenant_id": "acme",
"project_id": "payments",
"client_kind": "ci",
"scopes": [
"mcp:read",
"orchestrate:read",
"orchestrate:write",
"orchestrate:cancel",
"scans:read",
"evidence:read"
],
"allowed_targets": ["https://app.example.com"],
"artifact_access": "proof"
}
}
SCANQ_REVOKED_AGENT_IDS=Start read-only, then add write scopes only when the agent needs to launch or modify work.
| Agent job | Scopes |
|---|---|
| MCP discovery | mcp:read |
| Saved-scan reader | mcp:read, scans:read, evidence:read |
| CI scan launcher | mcp:read, orchestrate:read, orchestrate:write, orchestrate:cancel, scans:read, evidence:read |
| Webhook operator | webhooks:read, webhooks:write |
| Proof-pack importer | proof-pack:import, proof-pack:policy:read |
| Drift replay bot | proof-pack:replay, evidence:read |
| Reliability bot | developer:read, memory:read, scans:read |
Use Idempotency-Key on scan launch so retries return the same queued run for the same agent.
curl -s -X POST http://127.0.0.1:8001/api/public/v1/mcp \
-H "Content-Type: application/json" \
-H "X-API-Key: $BENDU_API_KEY" \
-H "X-ScanQ-Agent-Token: partner-ci-token" \
-H "Idempotency-Key: scanq-ci-2026-06-13T1200Z" \
-H "X-Request-ID: ci-run-4217" \
-d '{
"jsonrpc": "2.0",
"id": "scanq-create-run",
"method": "tools/call",
"params": {
"name": "orchestrate.create_run",
"arguments": {
"target_url": "https://app.example.com",
"scan_mode": "light",
"engagement_mode": "authorized_assessment"
}
}
}'Good agents explain confidence, skipped work, and proof quality before they summarize risk.
Agents that need async completion should register a webhook with webhooks:write.