Suede Docs
Connect AI assistants

Static credentials

Generate a client ID and secret so Microsoft Copilot Studio and other headless clients can connect to Suede without an interactive sign-in.

Some clients can't sign in through a browser — Microsoft Copilot Studio and other automated or server-side agents run without a person present. For these, an Owner or Admin generates static credentials: a client ID and secret you paste into the client's configuration.

Only Owners and Admins can create or revoke static credentials. If you're a Member or Viewer, ask an organization Admin to provision them for you.

Before you begin

  • The Owner or Admin role on the workspace.

  • The server URL, which the client also needs:

    https://mcp.suedewebsystems.ai/mcp/v1

Generate a credential

Open Workspace MCP Management

Open your workspace settings and go to MCP Management. This page governs every static credential in the workspace.

Start a new connection

Select New connection to open the credential form.

Fill in the details

  • Label — A name to recognize this credential later (e.g., "Copilot Studio – Marketing"). Only you see it; it isn't sent to the client.
  • Scopes — What the credential is allowed to do. Grant the least it needs: data:read for read-only, add data:write to let it edit monitoring data. See Tools and permissions reference.
  • Redirect URI — Leave blank to use the Microsoft Copilot Studio default. Override it only if your client requires a different callback.

Generate

Select Generate connection. Suede shows the client ID and client secret.

Copy the client secret now — it is shown only once. Suede stores it hashed and can never display it again. If you lose it, revoke the credential and generate a new one.

Connect Microsoft Copilot Studio

In Copilot Studio, add Suede as an MCP tool and supply the server URL along with the client ID and secret you just generated. Copilot Studio uses the default redirect URI, so you don't need to change it unless your tenant requires a custom callback.

Once connected, the agent can use whatever the credential's scopes allow.

Govern credentials

Workspace MCP Management lists every static credential in the workspace, including ones created by other Admins, with who created each. Any Admin or Owner can revoke any credential.

Revoking is immediate and permanent: it invalidates every token ever issued from that credential. A client using it loses access at once. To rotate a credential, generate a new one first, update the client, then revoke the old one.

Audit member connections

The same page shows an audit of the assistants your members have connected by signing in (see Connect an AI assistant) — the member, the assistant, the access granted, and when it was last active.

This view is read-only. Sign-in connections are personal, so only the member who created one can disconnect it. To cut off a member's access, ask them to disconnect, or remove them from the organization.

Owners and Admins can also generate static credentials for their own use from My MCP Connections → Your static credentials in the account menu. Workspace MCP Management is the place to see and govern all of them together.

On this page