> ## Documentation Index
> Fetch the complete documentation index at: https://explore.airia.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Tenant vs. Personal Level App Credentials

Every app credential you connect to an MCP Gateway or Deployment (Slack, GitHub, Salesforce, and so on) has an **access level**: **Personal** or **Tenant**. This controls who the connection belongs to and who can use it, separate from the visibility setting on the Gateway itself. The access level for a credential is only modifyable for API keys.

## The Two Levels

| Level        | Who can use it                | Typical use case                                                                                      |
| ------------ | ----------------------------- | ----------------------------------------------------------------------------------------------------- |
| **Personal** | Only you                      | Your own accounts, individual API keys, anything tied to your identity                                |
| **Tenant**   | Everyone in your organization | Shared service accounts, a single organization-wide API key, apps everyone should access the same way |

<Note>
  Personal is the default for a new connection. An admin has to explicitly share a configuration at the Tenant level.
</Note>

## How Each Authentication Method Handles Levels

Access levels don't work identically across every authentication method. What's actually shared at the Tenant level depends on how the app authenticates.

| Authentication Method | What can be shared at Tenant level | What always stays Personal                                            |
| --------------------- | ---------------------------------- | --------------------------------------------------------------------- |
| **OAuth (DCR)**       | Nothing, always Personal           | Your sign-in and access token                                         |
| **OAuth (Manual)**    | The OAuth app registration itself  | Each user's individual sign-in and access token                       |
| **API Key**           | A single organization-wide key     | Individual keys if no tenant level key has been provided by an admin. |
| **Pass-Through**      | Not applicable                     | Not applicable, since nothing is stored                               |

<Warning>
  OAuth sign-ins and tokens are always personal to the user who authenticated, even though the underlying app registration is shared at the Tenant level. One person's login is never used on another person's behalf.
</Warning>

Some apps support one-click OAuth where you just click **Connect** and authenticate immediately. For these, there's no admin setup step and no level to choose, your connection is Personal by definition.

Other apps require an admin to register an OAuth app first (providing a client ID and secret, for example). That registration is created at the Tenant level so it only has to be done once, but each person in your organization still has to click **Connect** and sign in with their own account. Nobody's access is shared just because the app registration is.

For API key based apps, an admin gets an explicit choice:

* **Share across tenant:** Enter one key that every user in the organization will use.
* **Leave it personal:** Each user provides their own key when they connect.

## Choosing a Level

| Choose Tenant when...                                                            | Choose Personal when...                                                      |
| -------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- |
| The app represents a shared resource (a team Slack workspace, a shared database) | The app is tied to an individual's identity or permissions                   |
| You want every user to have access without individually connecting               | Different users should have different levels of access to the underlying app |
| You're managing a service account or bot credential                              | You want to audit actions back to a specific person                          |

## Managing Access

Who can create, change, or remove a connection depends on its level and your role:

* **Tenant-level connections** can only be created, changed, or removed by an admin (Platform Admin, Admin, or a custom role with the appropriate permission). Any user in the organization can use one once it exists.
* **Personal-level connections** can only be seen and managed by the user who created them. Not even an admin can see or use another user's personal connection.

<Note>
  Removing your own personal connection or disconnecting your account never affects the underlying Tenant-level app registration. It stays in place for everyone else.
</Note>

## Changing an Existing Connection's Level

You can move an API key between levels after it's created, with a few guardrails:

* **Promoting Personal to Tenant** makes the connection available to everyone in your organization going forward.
* **Demoting Tenant to Personal** removes access for every other user who was relying on it. You'll be warned before this happens, since it can break any Gateway or Deployment that depended on the shared connection.
