Coda MCP is now available in public beta!

Hey @Marcio_Assencio_Araujo,

Glad you like it! And you’ve diagnosed it correctly: this is a limitation of the ChatGPT platform rather than anything on our end. We are actively working toward getting the Coda MCP natively present in ChatGPT, which would remove the developer mode requirement entirely. No firm timeline to share yet, but it’s something we’re pursuing.

In the meantime, one thing that can make the experience noticeably smoother even within developer mode: in your ChatGPT settings under the Coda app, there’s a toggle to allow ChatGPT to reference your memories and chat history when sharing data with Coda. Enabling that (as shown in the screenshot below) helps the MCP give more contextually relevant responses without you having to re-explain things each session.

Not a perfect fix, but it should reduce some of the friction while we work toward a better native integration.

@Chris_DeAngelis Can you share any screenshots to help answer your question?

Hey @Nick_Short1 — sorry for the delay here.

Will try to answer as much as I can below.

1. Permission inheritance: Yes. MCP operates strictly within your existing Coda permissions. It uses your own account credentials, so it can only access and modify docs you already have access to.

2. View-only enforcement: Yes! There are two layers of protection here. Token scope (read vs. write) controls which MCP tools can run at all, so a read-only token won’t allow creating, deleting, or updating pages regardless of what doc-level permissions the user has. On top of that, Coda enforces the same access protections via MCP that it does in the regular client. So existing doc and page permissions are fully respected either way.

3. New capabilities: MCP doesn’t expand what you can access, but it does make your existing access more powerful. An AI agent can query or modify content across multiple docs in a single session. That’s worth keeping in mind, especially for users with broad access.

4. Admin controls:

   1. Orgs can fully disable personal API token access for MCP by contacting Coda Support.

   2. Audit trails for MCP-driven doc creation and deletion are available via the Admin API.

   3. Doc- or folder-level restrictions on MCP access aren’t available yet, but they’re on the roadmap.

   4. Programmatic vs. expanded access: Connecting MCP makes your existing access programmatic—it doesn’t open any new doors. A user who can only view a doc in the UI shouldn’t be able to modify it through MCP either.

Also, if you haven’t taken a deeper dive into the full security recommendations for the MCP, you can access them here.

merci @Ruggy-Joesten for this update. Proper and powerful permission management is crucial in a collaborative context. We need this for the MCP as much as we need this for our tables on workspace level as well in our docs. @Daniel_Stieber made it clear in his contribution that makers need to be able to manage on doc level what editors and viewers can see, can access, can edit. I hope to read more about how Coda handles permissions.

Agreed with all points brought up above. One thing that would make me much more comfortable is the ability to allow or disallow MCP access at the user level for our workspace. I.e. each user has a toggle in the admin panel of “No MCP Access” / “MCP Read-Only” / “MCP Read-Write”.

It makes me quite nervous knowing that anyone in our org can authorize the MCP, without necessarily understanding good practice and the risks around using agents. Sure, they would inherit permissions from the docs, but there is a lot that we want people to be able to edit as a human that they shouldn’t be letting an agent loose on (at least without training).

Hey Ruggy, Nick:

I’m not sure this helps, but if you’re into Claude with Coda MCP, here are some techniques I’ve had pretty good success with for creating added safety measures. My examples here are generic. Applying them in practice does require a little effort, but they each work pretty well. Based on my experimentation, we’ve been able to instrument hook strategies to provide additional safety and security.

The security issues raised by Nick center around the current “all-or-nothing” nature of the Coda MCP integration:

1. No explicit separation of Read/Write permissions (the connection defaults to full read+write).
2. No way to restrict MCP access to specific documents or folders.
3. Lack of an audit trail to monitor what the AI is doing via MCP.

While we wait for Coda to implement server-side granular Role-Based Access Control (RBAC), we can use Claude Code Hooks to build a Client-Side Security Gateway.

Hooks act as deterministic middleware that intercepts the agent’s operations before they execute. By using them, you completely shift the security perimeter to the client—ensuring the LLM is physically blocked from performing unauthorized actions, regardless of what the underlying Coda API token permits.

This is a 3-part blueprint leveraging PreToolUse and PostToolUse hooks in Claude settings (settings.json) to solve these exact gaps:

1. Forcing Read-Only Access via Pattern Matching

Since the Coda MCP exposes specific internal tool names for different actions (e.g., mcp_Coda_page_read vs. mcp_Coda_page_update), we can use a PreToolUse hook with a regex matcher to intercept and block any tool indicative of a “Write” operation.

{
  "hooks": [
    {
      "name": "Enforce Coda Read-Only",
      "event": "PreToolUse",
      "matcher": "^mcp_Coda_.*(create|update|delete|manage|add|modify|duplicate|upload)$",
      "action": {
        "type": "Command",
        "command": "echo 'SECURITY GUARDRAIL: Write operations to Coda are restricted. Read-only actions allowed.' >&2 && exit 1"
      }
    }
  ]
}

How it solves the issue: If Claude tries to update a table row or add a comment, the hook catches it via the matcher, runs the bash exit command (status 1), and halts the execution, effectively sandboxing the agent in a read-only state.

2. Document/Folder Level Restrictions (Allow-listing)

To solve the issue of restricting MCP access to specific documents, we can route all Coda MCP tools through a localized validation script. The payload of a PreToolUse hook contains the exact arguments the tool is about to use—which almost always includes a uri containing the Coda docId.

{
  "hooks": [
    {
      "name": "Coda Document Permission Check",
      "event": "PreToolUse",
      "matcher": "^mcp_Coda_.*",
      "action": {
        "type": "Command",
        // The script receives the JSON payload of arguments, including the target docId
        "command": "./scripts/validate-coda-access.sh \"$TOOL_ARGS\""
      }
    }
  ]
}

How it solves the issue: The bash (or Node/Python) script parses the requested uri (e.g., coda://docs/{docId}/...) and checks it against an approved vault of allowed docIds. If the agent tries to scrape a document not on the list, the script terminates the call before the MCP server even registers the request.

3. Auditing and Monitoring

Since workspace admins cannot currently see what MCP is doing on the Coda side, we can log the activity deterministically on the agent side using a PostToolUse hook.

{
  "hooks": [
    {
      "name": "Coda Audit Logger",
      "event": "PostToolUse",
      "matcher": "^mcp_Coda_.*",
      "action": {
        "type": "Command",
        "command": "echo \"$(date): Tool $TOOL_NAME executed with args: $TOOL_ARGS\" >> ~/.logs/coda_mcp_audit.log"
      }
    }
  ]
}

(Alternatively, you could use an HTTP hook action to fire a payload directly to a centralized logging server, or even isolated to a totally separate Coda doc used specifically for auditing! Use Code webhooks for this - it really works well.)

4. Locking Down Hooks

There are several methods of ensuring hooks are secure and tamper-resistant. Happy to share them if this is a useful pattern.

While Antigravity lacks built-in client-side Hooks to sandbox tool execution deterministically, the MCP protocol itself is client-agnostic . Building an MCP Proxy Wrapper is the ultimate way to enforce Coda security across both Claude Code and Antigravity simultaneously, ensuring that no AI agent can bypass the rules regardless of their local configuration.

Zero Trust

By relying on Hooks, you establish a Zero-Trust Executor. Hooks are deterministic and exist entirely outside the model’s “thinking” loop, meaning the model cannot decide to ignore or prompt-inject its way around them. Even if an overzealous user connects a Coda token holding full admin privileges, the Claude Hooks act as an impenetrable firewall, buffering the overly-permissive Coda MCP and enforcing the strict constraints you define natively within your CLI.

I’m seeing a skill that worked under the developer beta MCP not work under the Connector based MCP. Is the Connector-based Coda MCP weaker than the beta developer MCP in some way?

Claude said this: "Returns the same first 50 rows on every call and doesn’t support cursor-based pagination. The filterByFormula parameter appears to be ignored too, since both calls returned identical Section A rows. The Questions table has 148 rows and I need all of them for a complete import.

The developer MCP (which you used before) handled pagination correctly — that’s how the previous session fetched all 432 rows in 5 calls. The connector menu MCP doesn’t support it."

This was working great and then stopped and now I can’t get it to work. Did something change? What can I do to get this connected again. Also in ChatGPT, I need to go into developer mode to create the connection, but it seems I have to stay in developer mode to maintain the connection. This eliminates other capabilities like persistent memory between chats and the GPT Canvas. Is that correct or is there something that can fix this so the MCP connection behaves like any other app?

So, i may I have found a solution. I published the app to my organization, which took me out of development mode and made it an internal app. Now it seems to be working, and I seem to be out of development mode. I don’t know what changed necessarily, but so far this now seems to have reestablished the connection.