Feature Request: Scoped API tokens with configurable permissions and expiry

[dnplkndll]

Use case

AI agents (e.g. Claude, Copilot) and CI/CD integrations need to interact with Huly programmatically on behalf of a user — creating issues, reading project data, updating documents, etc. The current @hcengineering/api-client supports a token option, but there's no way to generate scoped, time-limited tokens with granular permissions.

Without this, the only option is passing raw email/password credentials, which is unsuitable for automated agents, shared CI pipelines, or any integration where least-privilege access matters.

Proposal

Personal Access Tokens with:

Permission scoping

• Per-module granularity: read or read+write for individual modules (e.g. tracker, documents, hr, time tracking, chat)
• admin / all scope for full access (power users, trusted agents)

Expiry

• Recommended default: 30 days
• Configurable up to 1 year
• Tokens should display expiry date and support early revocation

Management

• Token CRUD in user settings UI (create, list, revoke)
• Show last-used timestamp per token
• Token value shown once at creation (not retrievable later)

Auth flow

• Usable as a bearer token with the existing API client:

  connect('https://huly.app', { token: 'pat_...', workspace: 'my-workspace' })

Context

• Issue Does huly have API? #6996 requested API access — the TypeScript client now exists but lacks a proper token system
• Issue [Feature Request] Event Based API #9187 requested event-based API — scoped tokens would also be needed for webhook receivers
• Multiple community MCP server wrappers exist (e.g. huly-mcp-server) that would immediately benefit from proper token auth
• No OpenAPI spec exists yet — when one is added, token auth would be the natural authentication method

Related

• Does huly have API? #6996 — Does huly have API?
• [Feature Request] Event Based API #9187 — Event Based API

[huly-github-staging]

Connected to Huly®: UBERF-15848