Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Authentication

The bento daemon uses bearer token authentication. Tokens are issued on the server where the daemon runs, then configured on each client machine where your coding agent (Claude Code, Codex, pi) connects from.

Server side

On the machine running the daemon, issue a token:

bento token issue --email you@example.com

This outputs a bento_pat_... token. Save it — it's only shown once.

You can list and revoke tokens:

bento token list
bento token revoke <token-id>

Client side

Each coding agent needs the token configured so it can authenticate with the daemon. The daemon URL will typically be a Tailscale Funnel URL (e.g. https://<node>.tail<id>.ts.net/mcp) since the daemon runs on a remote server.

For local development where the daemon runs on the same machine, use http://127.0.0.1:7890/mcp.

Claude Code

Run from your project directory:

claude mcp add --transport http bento http://127.0.0.1:7890/mcp \
  --header "Authorization: Bearer <token>"

This writes to ~/.claude.json under the current project (local scope — the token stays out of any committed file). Pass --scope user to share the entry across all projects on this machine.

Restart Claude Code (or run /mcp and reconnect) to pick up the change.

"mcpServers": {
    "bento": {
      "type": "streamable-http",
      "url": "http://127.0.0.1:7890/mcp",
      "headers": {
        "Authorization": "Bearer <token>"
      }
    }
}

Codex

Add to ~/.codex/config.toml:

[mcp_servers.bento]
url = "http://127.0.0.1:7890/mcp"
http_headers = { Authorization = "Bearer <token>" }

pi

The remote-workloads extension reads BENTO_TOKEN from the environment. Add to your project .envrc:

export BENTO_DAEMON_URL="http://127.0.0.1:7890"
export BENTO_TOKEN="<token>"

Then restart pi to pick up the new environment.