[{"data":1,"prerenderedAt":900},["ShallowReactive",2],{"navigation":3,"/mcp/security":166,"/mcp/security-surround":895},[4,23,44,89,111,136],{"title":5,"path":6,"stem":7,"children":8,"icon":22},"Getting Started","/getting-started","1.getting-started/1.index",[9,12,17],{"title":10,"path":6,"stem":7,"icon":11},"Introduction","i-lucide-house",{"title":13,"path":14,"stem":15,"icon":16},"Installation","/getting-started/installation","1.getting-started/2.installation","i-lucide-download",{"title":18,"path":19,"stem":20,"icon":21},"Usage","/getting-started/usage","1.getting-started/3.usage","i-lucide-sliders",false,{"title":24,"icon":22,"path":25,"stem":26,"children":27,"page":22},"Time tracking & monitoring","/time-tracking","2.Time Tracking",[28,32,36,40],{"title":29,"path":30,"stem":31},"Time & Projects","/time-tracking/timeandprojects","2.Time Tracking/Time&Projects",{"title":33,"path":34,"stem":35},"Time Tracking","/time-tracking/time-tracking","2.Time Tracking/Time-tracking",{"title":37,"path":38,"stem":39},"Timeboard","/time-tracking/timeboard","2.Time Tracking/TimeBoard",{"title":41,"path":42,"stem":43},"Timesheets","/time-tracking/timesheets","2.Time Tracking/Timesheets",{"title":45,"icon":22,"path":46,"stem":47,"children":48,"page":22},"Features","/features","3.features",[49,53,57,61,65,69,73,77,81,85],{"title":50,"path":51,"stem":52},"Dashboard","/features/dashboard","3.features/1.dashboard",{"title":54,"path":55,"stem":56},"SMTP troubleshoot","/features/smtp-troubleshoot","3.features/10.smtp-troubleshoot",{"title":58,"path":59,"stem":60},"Calendar & Leave Overview","/features/calendar","3.features/2.calendar",{"title":62,"path":63,"stem":64},"Calendar Integration","/features/calendar-integration","3.features/3.calendar-integration",{"title":66,"path":67,"stem":68},"Shift Scheduling","/features/schedules","3.features/4.schedules",{"title":70,"path":71,"stem":72},"Project Management","/features/projects","3.features/5.projects",{"title":74,"path":75,"stem":76},"Expense Settings","/features/expense-settings","3.features/6.expense-settings",{"title":78,"path":79,"stem":80},"Auth0 SSO Integration","/features/auth0-integration","3.features/7.auth0-integration",{"title":82,"path":83,"stem":84},"Password & Authentication Policy","/features/policies","3.features/8.policies",{"title":86,"path":87,"stem":88},"Email Configuration (SMTP)","/features/email-configuration","3.features/9.email-configuration",{"title":90,"icon":22,"path":91,"stem":92,"children":93,"page":22},"Expenses","/expenses","4.expenses",[94,98,102,106],{"title":95,"path":96,"stem":97},"Expense Claims","/expenses/overview","4.expenses/1.overview",{"title":99,"path":100,"stem":101},"Add & Manage Purchases","/expenses/purchases","4.expenses/2.purchases",{"title":103,"path":104,"stem":105},"Travel & Mileage Entry","/expenses/travelentries","4.expenses/3.travelentries",{"title":107,"path":108,"stem":109,"icon":110},"Company Card Expenses","/expenses/company-cards","4.expenses/4.company-cards","i-lucide-credit-card",{"title":112,"icon":22,"path":113,"stem":114,"children":115,"page":22},"Settings","/settings","5.settings",[116,120,124,128,132],{"title":117,"path":118,"stem":119},"General","/settings/general","5.settings/1.general",{"title":121,"path":122,"stem":123},"Leave Types","/settings/leavetype","5.settings/2.leaveType",{"title":125,"path":126,"stem":127},"Carry Forward","/settings/carryforward","5.settings/3.carryForward",{"title":129,"path":130,"stem":131},"Department Management","/settings/departments","5.settings/4.departments",{"title":133,"path":134,"stem":135},"Public Holidays","/settings/publicholiday","5.settings/5.publicholiday",{"title":137,"path":138,"stem":139,"children":140,"page":22},"Mcp","/mcp","6.mcp",[141,146,151,156,161],{"title":142,"path":143,"stem":144,"icon":145},"Overview","/mcp/overview","6.mcp/1.overview","i-lucide-bot",{"title":147,"path":148,"stem":149,"icon":150},"Connecting","/mcp/connecting","6.mcp/2.connecting","i-lucide-plug",{"title":152,"path":153,"stem":154,"icon":155},"Tools Reference","/mcp/tools","6.mcp/3.tools","i-lucide-wrench",{"title":157,"path":158,"stem":159,"icon":160},"Security","/mcp/security","6.mcp/4.security","i-lucide-shield",{"title":162,"path":163,"stem":164,"icon":165},"Integrating Your Own MCP Client","/mcp/custom-client","6.mcp/5.custom-client","i-lucide-code",{"id":167,"title":157,"body":168,"description":888,"extension":889,"links":890,"meta":891,"navigation":892,"path":158,"seo":893,"stem":159,"__hash__":894},"docs/6.mcp/4.security.md",{"type":169,"value":170,"toc":868},"minimark",[171,176,185,190,212,223,234,238,251,255,266,270,273,277,352,356,772,776,780,806,810,824,828,842,846],[172,173,175],"h2",{"id":174},"authentication","Authentication",[177,178,179,180,184],"p",{},"BookYourPTO MCP uses ",[181,182,183],"strong",{},"OAuth 2.0 with PKCE"," for authentication. You sign in via your browser on BookYourPTO's domain — your password never touches the AI client or the MCP server.",[186,187,189],"h3",{"id":188},"how-it-works","How it works",[191,192,193,197,200,203,206,209],"ol",{},[194,195,196],"li",{},"Your AI client connects to the MCP server via SSE",[194,198,199],{},"The MCP server returns an OAuth challenge — your AI client opens a browser window",[194,201,202],{},"You sign in on BookYourPTO's login page (supports email/password and two-factor authentication)",[194,204,205],{},"BookYourPTO issues an authorization code, which is exchanged for a short-lived JWT access token",[194,207,208],{},"Tokens are automatically refreshed for the duration of your session",[194,210,211],{},"All tool calls run with your identity and permissions",[213,214,219],"pre",{"className":215,"code":217,"language":218},[216],"language-text","AI Client MCP Server BookYourPTO\n │ │ │\n │── GET /sse ───────────►│ │\n │◄── 401 (OAuth) ────────│ │\n │ │ │\n │── Browser opens ──────►│── redirect ───────────►│\n │ │ │── User logs in\n │◄── code + state ───────│◄── redirect ───────────│ (browser)\n │ │ │\n │── POST /token ────────►│── proxy ──────────────►│\n │◄── access_token ───────│◄── tokens ─────────────│\n │ │ │\n │── GET /sse + Bearer ──►│ │\n │◄══ SSE connected ══════│ │\n","text",[220,221,217],"code",{"__ignoreMap":222},"",[224,225,228],"callout",{"color":226,"icon":227},"green","i-lucide-shield-check",[177,229,230,233],{},[181,231,232],{},"Your password never leaves BookYourPTO."," The AI client only receives an access token — it cannot see, store, or transmit your credentials. Each connection is fully isolated.",[186,235,237],{"id":236},"requirements","Requirements",[239,240,241,244],"ul",{},[194,242,243],{},"A BookYourPTO account (any role)",[194,245,246,247,250],{},"Two-factor authentication (2FA) is ",[181,248,249],{},"fully supported"," — if enabled, you'll enter your TOTP code on the login page",[186,252,254],{"id":253},"self-hosted-mode","Self-hosted mode",[177,256,257,258,261,262,265],{},"For local development or self-hosted deployments, you can pre-authenticate with a shared service account by setting ",[220,259,260],{},"BYPTO_EMAIL"," and ",[220,263,264],{},"BYPTO_PASSWORD"," environment variables. In this mode, all connections share the service account's identity and no browser login is required.",[172,267,269],{"id":268},"role-based-access-control","Role-Based Access Control",[177,271,272],{},"The MCP server inherits the permissions of the authenticated user. Tools enforce the same role-based access rules as the BookYourPTO web application.",[186,274,276],{"id":275},"role-hierarchy","Role hierarchy",[278,279,280,296],"table",{},[281,282,283],"thead",{},[284,285,286,290,293],"tr",{},[287,288,289],"th",{},"Role",[287,291,292],{},"Level",[287,294,295],{},"Description",[297,298,299,313,326,339],"tbody",{},[284,300,301,307,310],{},[302,303,304],"td",{},[220,305,306],{},"EMPLOYEE",[302,308,309],{},"Basic",[302,311,312],{},"View own data only",[284,314,315,320,323],{},[302,316,317],{},[220,318,319],{},"DEPARTMENT_HEAD",[302,321,322],{},"Manager",[302,324,325],{},"View/manage own department",[284,327,328,333,336],{},[302,329,330],{},[220,331,332],{},"ADMINISTRATOR",[302,334,335],{},"Admin",[302,337,338],{},"Full access to all features",[284,340,341,346,349],{},[302,342,343],{},[220,344,345],{},"EXECUTIVE",[302,347,348],{},"Executive",[302,350,351],{},"Full access + org-wide analytics",[186,353,355],{"id":354},"tool-permissions-by-role","Tool permissions by role",[278,357,358,375],{},[281,359,360],{},[284,361,362,365,367,370,373],{},[287,363,364],{},"Tool",[287,366,306],{},[287,368,369],{},"DEPT_HEAD",[287,371,372],{},"ADMIN",[287,374,345],{},[297,376,377,394,412,427,442,456,471,486,502,517,532,547,561,576,591,606,621,636,651,666,681,696,712,727,742,757],{},[284,378,379,385,388,390,392],{},[302,380,381,384],{},[220,382,383],{},"query_leaves"," (own)",[302,386,387],{},"Yes",[302,389,387],{},[302,391,387],{},[302,393,387],{},[284,395,396,401,404,407,410],{},[302,397,398,400],{},[220,399,383],{}," (others)",[302,402,403],{},"No",[302,405,406],{},"Department",[302,408,409],{},"All",[302,411,409],{},[284,413,414,419,421,423,425],{},[302,415,416],{},[220,417,418],{},"create_leave_request",[302,420,387],{},[302,422,387],{},[302,424,387],{},[302,426,387],{},[284,428,429,434,436,438,440],{},[302,430,431,384],{},[220,432,433],{},"get_leave_balance",[302,435,387],{},[302,437,387],{},[302,439,387],{},[302,441,387],{},[284,443,444,448,450,452,454],{},[302,445,446,400],{},[220,447,433],{},[302,449,403],{},[302,451,406],{},[302,453,409],{},[302,455,409],{},[284,457,458,463,465,467,469],{},[302,459,460],{},[220,461,462],{},"get_pending_leave_approvals",[302,464,403],{},[302,466,387],{},[302,468,387],{},[302,470,387],{},[284,472,473,478,480,482,484],{},[302,474,475],{},[220,476,477],{},"approve_or_reject_leave",[302,479,403],{},[302,481,387],{},[302,483,387],{},[302,485,387],{},[284,487,488,493,496,498,500],{},[302,489,490],{},[220,491,492],{},"get_time_tracking_status",[302,494,495],{},"Own",[302,497,406],{},[302,499,409],{},[302,501,409],{},[284,503,504,509,511,513,515],{},[302,505,506],{},[220,507,508],{},"clock_action",[302,510,387],{},[302,512,387],{},[302,514,387],{},[302,516,387],{},[284,518,519,524,526,528,530],{},[302,520,521],{},[220,522,523],{},"query_time_entries",[302,525,495],{},[302,527,406],{},[302,529,409],{},[302,531,409],{},[284,533,534,539,541,543,545],{},[302,535,536,384],{},[220,537,538],{},"query_expenses",[302,540,387],{},[302,542,387],{},[302,544,387],{},[302,546,387],{},[284,548,549,553,555,557,559],{},[302,550,551,400],{},[220,552,538],{},[302,554,403],{},[302,556,406],{},[302,558,409],{},[302,560,409],{},[284,562,563,568,570,572,574],{},[302,564,565],{},[220,566,567],{},"get_expense_approvals",[302,569,403],{},[302,571,387],{},[302,573,387],{},[302,575,387],{},[284,577,578,583,585,587,589],{},[302,579,580],{},[220,581,582],{},"approve_or_reject_expense",[302,584,403],{},[302,586,387],{},[302,588,387],{},[302,590,387],{},[284,592,593,598,600,602,604],{},[302,594,595],{},[220,596,597],{},"get_team_members",[302,599,387],{},[302,601,387],{},[302,603,387],{},[302,605,387],{},[284,607,608,613,615,617,619],{},[302,609,610],{},[220,611,612],{},"get_user_profile",[302,614,495],{},[302,616,406],{},[302,618,409],{},[302,620,409],{},[284,622,623,628,630,632,634],{},[302,624,625],{},[220,626,627],{},"get_departments",[302,629,387],{},[302,631,387],{},[302,633,387],{},[302,635,387],{},[284,637,638,643,645,647,649],{},[302,639,640],{},[220,641,642],{},"get_org_info",[302,644,387],{},[302,646,387],{},[302,648,387],{},[302,650,387],{},[284,652,653,658,660,662,664],{},[302,654,655],{},[220,656,657],{},"get_public_holidays",[302,659,387],{},[302,661,387],{},[302,663,387],{},[302,665,387],{},[284,667,668,673,675,677,679],{},[302,669,670],{},[220,671,672],{},"get_dashboard_stats",[302,674,403],{},[302,676,403],{},[302,678,403],{},[302,680,387],{},[284,682,683,688,690,692,694],{},[302,684,685],{},[220,686,687],{},"get_notifications",[302,689,387],{},[302,691,387],{},[302,693,387],{},[302,695,387],{},[284,697,698,703,706,708,710],{},[302,699,700],{},[220,701,702],{},"list_projects",[302,704,705],{},"Visible",[302,707,705],{},[302,709,409],{},[302,711,409],{},[284,713,714,719,721,723,725],{},[302,715,716],{},[220,717,718],{},"create_shift",[302,720,403],{},[302,722,387],{},[302,724,387],{},[302,726,387],{},[284,728,729,734,736,738,740],{},[302,730,731],{},[220,732,733],{},"publish_schedule",[302,735,403],{},[302,737,403],{},[302,739,387],{},[302,741,387],{},[284,743,744,749,751,753,755],{},[302,745,746],{},[220,747,748],{},"generate_leave_report",[302,750,403],{},[302,752,403],{},[302,754,387],{},[302,756,387],{},[284,758,759,764,766,768,770],{},[302,760,761],{},[220,762,763],{},"generate_timesheet_report",[302,765,403],{},[302,767,403],{},[302,769,387],{},[302,771,387],{},[172,773,775],{"id":774},"best-practices","Best Practices",[186,777,779],{"id":778},"account-security","Account security",[239,781,782,789,796,803],{},[194,783,784,785,788],{},"Use a ",[181,786,787],{},"strong, unique password"," for your BookYourPTO account",[194,790,791,792,795],{},"Enable ",[181,793,794],{},"two-factor authentication (2FA)"," for an additional layer of security",[194,797,798,799,802],{},"Do ",[181,800,801],{},"not"," share your credentials with others — each user should log in with their own account",[194,804,805],{},"If you suspect your session is compromised, change your password in BookYourPTO immediately",[186,807,809],{"id":808},"network-security","Network security",[239,811,812,815,818,821],{},[194,813,814],{},"The hosted MCP server communicates with the BookYourPTO API over HTTPS",[194,816,817],{},"All traffic is encrypted in transit (TLS)",[194,819,820],{},"The MCP server runs in a private subnet on AWS — it is not directly accessible from the internet",[194,822,823],{},"External access is routed through an Application Load Balancer with an ACM certificate",[186,825,827],{"id":826},"data-handling","Data handling",[239,829,830,833,836,839],{},[194,831,832],{},"The MCP server does not persist any data — tokens and cache are held in memory only and destroyed when your session ends",[194,834,835],{},"Per-user sessions are isolated: your data is never visible to other connections",[194,837,838],{},"All data flows through the BookYourPTO API, which enforces access controls",[194,840,841],{},"AI clients may retain conversation history — refer to your AI provider's data policies",[186,843,845],{"id":844},"self-hosted-deployments","Self-hosted deployments",[239,847,848,851,862,865],{},[194,849,850],{},"Store shared credentials (if using shared mode) in environment variables, not in code",[194,852,853,854,857,858,861],{},"Use Docker secrets or a ",[220,855,856],{},".env"," file with restricted permissions (",[220,859,860],{},"chmod 600",")",[194,863,864],{},"Run the MCP server on a private network if possible",[194,866,867],{},"Keep the MCP server image up to date for security patches",{"title":222,"searchDepth":869,"depth":870,"links":871},1,2,[872,878,882],{"id":174,"depth":870,"text":175,"children":873},[874,876,877],{"id":188,"depth":875,"text":189},3,{"id":236,"depth":875,"text":237},{"id":253,"depth":875,"text":254},{"id":268,"depth":870,"text":269,"children":879},[880,881],{"id":275,"depth":875,"text":276},{"id":354,"depth":875,"text":355},{"id":774,"depth":870,"text":775,"children":883},[884,885,886,887],{"id":778,"depth":875,"text":779},{"id":808,"depth":875,"text":809},{"id":826,"depth":875,"text":827},{"id":844,"depth":875,"text":845},"Authentication, role-based access control, and security best practices for BookYourPTO MCP.","md",null,{},{"icon":160},{"title":157,"description":888},"ZSnLCoC3XcH2QuMfdvE-3RxykCCQyRvyz9GBfJQlW-E",[896,898],{"title":152,"path":153,"stem":154,"description":897,"icon":155,"children":-1},"Complete reference for all BookYourPTO MCP tools — parameters, descriptions, required roles, and usage examples.",{"title":162,"path":163,"stem":164,"description":899,"icon":165,"children":-1},"Build a custom MCP client that connects to the BookYourPTO MCP server using the SSE transport.",1774284207142]