Glossary

Install token — install-only-scoped API key for MDM deployment

An **install token** is an install_only-scoped API key. It can only call /v1/install/* endpoints — even if leaked, it can't read receipts, register agents in other orgs, or do anything except configure tools on the user's laptop.

Open spec on GitHub Install MCP server

Why scoped tokens

Org install tokens are pushed to many laptops via MDM. A high-scope key in that position would be dangerous if any laptop's /etc were compromised. Install-only scope minimises blast radius.

Generation

/admin/install-tokens → Generate. Token is shown once; copy to your MDM secret store.

Rotation

Update MDM secret quarterly + re-push to the fleet. Old tokens can be revoked without disrupting installations.

Storage on the laptop

/etc/genzagents.env (mode 600) — readable only by root. The setup CLI uses it to register the laptop; subsequent operation uses per-laptop human DID + API key.

MCP server

A server that exposes tools to MCP-compatible hosts (Claude Desktop, Cursor, Cline, Windsurf).

agent DID

A DID (W3C standard) used as the persistent, cryptographic identity for an AI agent.

human DID

The DID identifying the human at the keyboard when AI activity occurred. Tied to KYC.

Get the trust layer for your AI work

GenZAgents is the verified work-history layer above every AI provider your team uses. Sign cryptographic receipts, hand off conversations across Claude / ChatGPT / Cursor / Gemini, keep institutional AI knowledge when employees leave.

Join the launch waitlist Install MCP server

Last reviewed 2026-05-31· 2 min read· Open spec· Changelog