Skip to main content
ThornGuard’s team management feature allows enterprise accounts to create multiple team tokens with role-based access control (RBAC), so team members can use ThornGuard without sharing the primary license key.
Team management is an Enterprise-only feature. Enterprise plans are detected automatically when your Polar.sh license has limitActivations >= 30. If you need shared access but have not subscribed yet, see Pricing.

Roles

Team tokens are assigned one of two roles:
RoleProxy AccessView LogsView SettingsModify SettingsManage Tokens
AdminYesYesYesYesYes
ViewerYesYesYesNoNo
  • Admin tokens have full access — they can modify settings (blocklists, IP whitelist, retention) and manage other team tokens.
  • Viewer tokens can proxy MCP requests and view the dashboard, but cannot change any configuration.

Token Lifecycle

Creating a Token

  1. Navigate to the Team page in the ThornGuard dashboard.
  2. Enter a label for the token (e.g., “CI Pipeline” or “Alice’s Workstation”).
  3. Select the role — Admin or Viewer.
  4. Click Create Token.
  5. Copy the token immediately — it is shown only once.
Team tokens are displayed only at creation time. If you lose a token, you must revoke it and create a new one.

Using a Token

Team tokens are used exactly like a primary license key. Pass the token in the x-thornguard-license header: 
{
  "mcpServers": {
    "Protected Server": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://thorns.qwady.app/mcp",
        "--header",
        "x-thornguard-license: Bearer THORN-TEAM_TOKEN_HERE",
        "--header",
        "x-mcp-target-url: https://your-mcp-server.com/mcp"
      ]
    }
  }
}

Revoking a Token

  1. Navigate to the Team page.
  2. Find the token in the list.
  3. Click Revoke.
Revoked tokens are immediately invalidated — any requests using the token will receive a BLOCKED_AUTH response.

Expiry and Usage Tracking

The current backend stores lifecycle metadata for enterprise team tokens:
  • optional expiry timestamps
  • last-used timestamps
  • revocation timestamps
  • revocation actor metadata
The live dashboard UI currently focuses on create and revoke flows. More advanced token lifecycle editing is available through the backend management API as those UI surfaces roll out.

Storage

Team tokens are stored in the team_tokens D1 table:
ColumnTypeDescription
idINTEGERPrimary key (auto-incrementing).
parent_license_hashTEXTSHA-256 hash of the parent enterprise license.
token_hashTEXTSHA-256 hash of the team token (the raw token is never stored).
labelTEXTHuman-readable label for the token.
roleTEXTadmin or viewer.
created_atDATETIMEUTC timestamp of token creation.
updated_atDATETIMETimestamp of the most recent token metadata update.
expires_atDATETIMEOptional expiry timestamp.
last_used_atDATETIMELast successful use time for the token.
revoked_atDATETIMEWhen the token was revoked, if applicable.
revoked_byTEXTActor or credential that revoked the token.
All audit logs generated by team tokens are associated with the parent license’s license_hash, ensuring centralized visibility across the entire team.