Coda MCP is now available in public beta!

Hey @Marcio_Assencio_Araujo,

Glad you like it! And you’ve diagnosed it correctly: this is a limitation of the ChatGPT platform rather than anything on our end. We are actively working toward getting the Coda MCP natively present in ChatGPT, which would remove the developer mode requirement entirely. No firm timeline to share yet, but it’s something we’re pursuing.

In the meantime, one thing that can make the experience noticeably smoother even within developer mode: in your ChatGPT settings under the Coda app, there’s a toggle to allow ChatGPT to reference your memories and chat history when sharing data with Coda. Enabling that (as shown in the screenshot below) helps the MCP give more contextually relevant responses without you having to re-explain things each session.

Not a perfect fix, but it should reduce some of the friction while we work toward a better native integration.

@Chris_DeAngelis Can you share any screenshots to help answer your question?

Hey @Nick_Short1 — sorry for the delay here.

Will try to answer as much as I can below.

1. Permission inheritance: Yes. MCP operates strictly within your existing Coda permissions. It uses your own account credentials, so it can only access and modify docs you already have access to.

2. View-only enforcement: Yes! There are two layers of protection here. Token scope (read vs. write) controls which MCP tools can run at all, so a read-only token won’t allow creating, deleting, or updating pages regardless of what doc-level permissions the user has. On top of that, Coda enforces the same access protections via MCP that it does in the regular client. So existing doc and page permissions are fully respected either way.

3. New capabilities: MCP doesn’t expand what you can access, but it does make your existing access more powerful. An AI agent can query or modify content across multiple docs in a single session. That’s worth keeping in mind, especially for users with broad access.

4. Admin controls:

   1. Orgs can fully disable personal API token access for MCP by contacting Coda Support.

   2. Audit trails for MCP-driven doc creation and deletion are available via the Admin API.

   3. Doc- or folder-level restrictions on MCP access aren’t available yet, but they’re on the roadmap.

   4. Programmatic vs. expanded access: Connecting MCP makes your existing access programmatic—it doesn’t open any new doors. A user who can only view a doc in the UI shouldn’t be able to modify it through MCP either.

Also, if you haven’t taken a deeper dive into the full security recommendations for the MCP, you can access them here.

merci @Ruggy-Joesten for this update. Proper and powerful permission management is crucial in a collaborative context. We need this for the MCP as much as we need this for our tables on workspace level as well in our docs. @Daniel_Stieber made it clear in his contribution that makers need to be able to manage on doc level what editors and viewers can see, can access, can edit. I hope to read more about how Coda handles permissions.

Agreed with all points brought up above. One thing that would make me much more comfortable is the ability to allow or disallow MCP access at the user level for our workspace. I.e. each user has a toggle in the admin panel of “No MCP Access” / “MCP Read-Only” / “MCP Read-Write”.

It makes me quite nervous knowing that anyone in our org can authorize the MCP, without necessarily understanding good practice and the risks around using agents. Sure, they would inherit permissions from the docs, but there is a lot that we want people to be able to edit as a human that they shouldn’t be letting an agent loose on (at least without training).

Hey Ruggy, Nick:

I’m not sure this helps, but if you’re into Claude with Coda MCP, here are some techniques I’ve had pretty good success with for creating added safety measures. My examples here are generic. Applying them in practice does require a little effort, but they each work pretty well. Based on my experimentation, we’ve been able to instrument hook strategies to provide additional safety and security.

The security issues raised by Nick center around the current “all-or-nothing” nature of the Coda MCP integration:

1. No explicit separation of Read/Write permissions (the connection defaults to full read+write).
2. No way to restrict MCP access to specific documents or folders.
3. Lack of an audit trail to monitor what the AI is doing via MCP.

While we wait for Coda to implement server-side granular Role-Based Access Control (RBAC), we can use Claude Code Hooks to build a Client-Side Security Gateway.

Hooks act as deterministic middleware that intercepts the agent’s operations before they execute. By using them, you completely shift the security perimeter to the client—ensuring the LLM is physically blocked from performing unauthorized actions, regardless of what the underlying Coda API token permits.

This is a 3-part blueprint leveraging PreToolUse and PostToolUse hooks in Claude settings (settings.json) to solve these exact gaps:

1. Forcing Read-Only Access via Pattern Matching

Since the Coda MCP exposes specific internal tool names for different actions (e.g., mcp_Coda_page_read vs. mcp_Coda_page_update), we can use a PreToolUse hook with a regex matcher to intercept and block any tool indicative of a “Write” operation.

{
  "hooks": [
    {
      "name": "Enforce Coda Read-Only",
      "event": "PreToolUse",
      "matcher": "^mcp_Coda_.*(create|update|delete|manage|add|modify|duplicate|upload)$",
      "action": {
        "type": "Command",
        "command": "echo 'SECURITY GUARDRAIL: Write operations to Coda are restricted. Read-only actions allowed.' >&2 && exit 1"
      }
    }
  ]
}

How it solves the issue: If Claude tries to update a table row or add a comment, the hook catches it via the matcher, runs the bash exit command (status 1), and halts the execution, effectively sandboxing the agent in a read-only state.

2. Document/Folder Level Restrictions (Allow-listing)

To solve the issue of restricting MCP access to specific documents, we can route all Coda MCP tools through a localized validation script. The payload of a PreToolUse hook contains the exact arguments the tool is about to use—which almost always includes a uri containing the Coda docId.

{
  "hooks": [
    {
      "name": "Coda Document Permission Check",
      "event": "PreToolUse",
      "matcher": "^mcp_Coda_.*",
      "action": {
        "type": "Command",
        // The script receives the JSON payload of arguments, including the target docId
        "command": "./scripts/validate-coda-access.sh \"$TOOL_ARGS\""
      }
    }
  ]
}

How it solves the issue: The bash (or Node/Python) script parses the requested uri (e.g., coda://docs/{docId}/...) and checks it against an approved vault of allowed docIds. If the agent tries to scrape a document not on the list, the script terminates the call before the MCP server even registers the request.

3. Auditing and Monitoring

Since workspace admins cannot currently see what MCP is doing on the Coda side, we can log the activity deterministically on the agent side using a PostToolUse hook.

{
  "hooks": [
    {
      "name": "Coda Audit Logger",
      "event": "PostToolUse",
      "matcher": "^mcp_Coda_.*",
      "action": {
        "type": "Command",
        "command": "echo \"$(date): Tool $TOOL_NAME executed with args: $TOOL_ARGS\" >> ~/.logs/coda_mcp_audit.log"
      }
    }
  ]
}

(Alternatively, you could use an HTTP hook action to fire a payload directly to a centralized logging server, or even isolated to a totally separate Coda doc used specifically for auditing! Use Code webhooks for this - it really works well.)

4. Locking Down Hooks

There are several methods of ensuring hooks are secure and tamper-resistant. Happy to share them if this is a useful pattern.

While Antigravity lacks built-in client-side Hooks to sandbox tool execution deterministically, the MCP protocol itself is client-agnostic . Building an MCP Proxy Wrapper is the ultimate way to enforce Coda security across both Claude Code and Antigravity simultaneously, ensuring that no AI agent can bypass the rules regardless of their local configuration.

Zero Trust

By relying on Hooks, you establish a Zero-Trust Executor. Hooks are deterministic and exist entirely outside the model’s “thinking” loop, meaning the model cannot decide to ignore or prompt-inject its way around them. Even if an overzealous user connects a Coda token holding full admin privileges, the Claude Hooks act as an impenetrable firewall, buffering the overly-permissive Coda MCP and enforcing the strict constraints you define natively within your CLI.

I’m seeing a skill that worked under the developer beta MCP not work under the Connector based MCP. Is the Connector-based Coda MCP weaker than the beta developer MCP in some way?

Claude said this: "Returns the same first 50 rows on every call and doesn’t support cursor-based pagination. The filterByFormula parameter appears to be ignored too, since both calls returned identical Section A rows. The Questions table has 148 rows and I need all of them for a complete import.

The developer MCP (which you used before) handled pagination correctly — that’s how the previous session fetched all 432 rows in 5 calls. The connector menu MCP doesn’t support it."

This was working great and then stopped and now I can’t get it to work. Did something change? What can I do to get this connected again. Also in ChatGPT, I need to go into developer mode to create the connection, but it seems I have to stay in developer mode to maintain the connection. This eliminates other capabilities like persistent memory between chats and the GPT Canvas. Is that correct or is there something that can fix this so the MCP connection behaves like any other app?

So, i may I have found a solution. I published the app to my organization, which took me out of development mode and made it an internal app. Now it seems to be working, and I seem to be out of development mode. I don’t know what changed necessarily, but so far this now seems to have reestablished the connection.

My 5 cents on the topic as a non-tech user. I might be too inexperienced with MCP, so apologies if not all make sense. But I am testing it as a general user and couldn’t achieve anything.

I’ve tried Coda MCP in the past days and here are few things that would love to be improved, considering there are no bugs on all that’s currently as features:

• Create automations through MCP - this is super powerful part of Coda and it’s a shame it not to have it as an option
• Trigger/push buttons - I suspect this is a tricky one but as a user who’ve built complex buttons it’s impossible to replicate the actions with MCP and honestly makes little sense to ask my colleague to use ChatGPT to interact with a document if they can’t push buttons (at least the MCP in Perplexity said that it can’t replicate about 30% of the buttons in my document)
• Understand languages - I find that it’s doing OK but far from great in understanding the fields in other languages
• I got a message in perplextiy that “Coda MCP can’t filter by multiple columns”. Does this mean that filtering doesn’t work? I tried a prompt like “Which items are place in [city] and are in this [place] and have more than 10 stock available” when I got this message

(Apologies if these were already mentioned)

I’m trying to connect via MCP to my Coda Docs with Copilot Studio, but I can’t seem to make it work (using API tokens). Anyone who tried and succeeded?

Hey @Stefan_Stoyanov!

Thanks for the detailed feedback, and please don’t apologize. Non-technical perspectives are some of the most valuable ones we can get at this stage.

A few quick reactions. Automations and button triggering aren’t supported yet, and you’re right that button logic gets complex fast given how much you can build with it. No timeline to share, but the feedback is noted.

On multi-column filtering, what you got from Perplexity was accurate. It’s a known limitation we’re working through.

The language understanding note is taken. Early days, but “doing OK but far from great” is a fair bar, and one we want to clear.

The fact that you’re stress-testing this as a general user and getting this specific about what’s missing is exactly what makes a beta useful. Keep it coming.

Hey @Pierre_Lison

Can you send a screenshot? Will try and dig in on this!

I noticed one more limitation which probably is well know, but worth mentioning - since Coda hides all rows after 500 whatever it finds is up to this row.

Tested to create good instructions in the Space on how to approach the search of data. Maybe at later stages when you, Codans, have best practices doc it would serve as a good reference for the AI to help write good instrutions to themselves That would help users get started quickly, too.

@Ruggy-Joesten - I’d love to understand the reasoning behind the access level mapping for the MCP.

I just noticed that “Editors” only have access to read-type tools and actions. It makes sense that they cannot create tables or perform other Doc Maker actions, that’s consistent with how Coda has always worked.

But restricting Editors from adding or modifying rows is a significant constraint. We’re moving toward a way of working where users don’t need to navigate the front-end directly to interact with a tool, and requiring Editor-level users to be upgraded to Doc Makers just to write data through the MCP creates a real blocker for adopting Coda in this context.

The most intuitive setup, in my view, would be for MCP permissions to mirror front-end permissions. Whatever a user can do in the Coda UI, they should be able to do through the MCP as well. Right now that is not the case.

I don’t want my Editors to become Doc Makers. They genuinely shouldn’t have the ability to accidentally create tables, modify locking, or make structural changes. But they absolutely need to be able to edit rows through the MCP.

Here are three real workflows that are blocked right now:

• My colleague in marketing (Editor) uses the Coda MCP to read our planned social media posts, runs them through a tone of voice prompt in Claude to generate drafts, and then needs to send those drafts back to Coda for review and scheduling.
• My colleague in finance (Editor) connects Claude to Shopify, our inventory tool, and our budget sheet to compile the weekly financial report, and then needs to write that report back to our Economy Doc in Coda.
• My colleague in production (Editor) reads our Products table to see what’s ready for production, pulls the relevant details, uses the Canva MCP to create manufacturer visuals, and then needs to write the Canva link back to Coda and update the product status.

All three of these are clean, logical workflows that should just work. With the current setup, we’re forced into awkward workarounds to get data back into Coda after reading from the MCP, or to fall back on the API entirely

Is this something being actively considered or on the roadmap?

What is an Editor, exactly? Is their job just to fill in blanks set by a Maker, or can they create new rows and add context themselves?

The old approach—limiting users to pre-defined boxes—is prehistoric. To keep data ‘alive’ in a modern workflow, Editors must be able to do more than just change values.

This is where the line between making and editing blurs. If an Editor pushes a button to add a row, they are still editing; they are just doing it with more impact. I call this Active Editing.

In an AI-driven world, this shift is essential.

I hope and expect that the MCP will be updated accordingly.

I totally agree - the lines are blurring.

But as a basic bare minimum (and expectation I would say) an Editor is of course able to edit an existing row.

I really hope this is a change coming ASAP. It’s getting harder and harder to defend picking Coda in this new AI era.

I agree. Editing rows is the ‘Minimum Minimorum’—meaning the editable fields, not the column configuration. I’d also argue that adding a row is just as fundamental. It’s hard to defend any position that excludes those two basics.

@Ruggy-Joesten , can you make sure this lands in the MCP team and we receive an up to date response here.

merci, christiaan

I concur.

Adding and deleting rows are basic DATA operations.
Adding tables and columns goes beyond that.

I expect EDITOR roles to be able to use the data model ( CRUD ) but not change the data model.

This is essential and need to be honored by the MCP permissioning model.

respect
Max

I expect to have feedback before Thusday on the issue as mentioned by @Maja_Overgard
meanwhile the team behind the MCP may consider to come with an update on what the MCP supports and does not support. Last week I noticed by accident a welcome update. I believe it more helpful for all of us when the team behind the MCP releases a brief status update when they have done some good work. @Ruggy-Joesten , can you follow up on this?
merci, Christiaan