CI/CD
Machine credentials let your CI/CD pipelines and cloud agents call the Dam Secure MCP without an interactive login.
A machine credential is a client ID and secret. You do not send them to the MCP directly. You exchange them for a short-lived access token, then send that token to the MCP as a bearer token. This is different from connecting an editor, which signs you in as a user through your browser and does not use these credentials.
Only org admins can generate or revoke machine credentials.
Step 1: Generate credentials
- Open the Dam Secure app and go to Settings.
- Open the MCP Machine Credentials section.
- Click Generate.
- Copy the Client ID and Client Secret.
Copy the secret before you close the dialog. If you lose it, generate a new one.
Step 2: Store the credentials in your pipeline
Add the values as secrets in your CI/CD provider (Buildkite, GitHub Actions, or similar):
DAMSECURE_MCP_CLIENT_ID=<your-client-id>
DAMSECURE_MCP_CLIENT_SECRET=<your-client-secret>
Never commit these values to your repository.
Step 3: Exchange the credentials for an access token
The client ID and secret are not accepted by the MCP directly. First exchange them for an access token:
curl -X POST https://damsecure.kinde.com/oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d grant_type=client_credentials \
-d client_id="$DAMSECURE_MCP_CLIENT_ID" \
-d client_secret="$DAMSECURE_MCP_CLIENT_SECRET" \
-d audience=https://api.damsecure.ai/mcp
The response contains an access_token. Tokens are short-lived and expire after about a day, so request a fresh one in each pipeline run rather than storing it.
Step 4: Call the MCP with the token
Send the access token to the MCP as a bearer token:
- Server URL:
https://api.damsecure.ai/mcp - Header:
Authorization: Bearer <access_token>
Any MCP client or agent that lets you set a request header can connect this way. Point it at the server URL and pass the token in the Authorization header.
Permissions
Machine credentials are read-only by default. They can review plans and browse issues, rules, and repositories.
Actions that change state (confirming or dismissing findings, updating issues, creating or editing rules, and enabling or disabling rules per project) require the mcp:write scope. Contact Dam Secure to enable write access for a credential.
Revoke a credential
To stop a credential from working, open the MCP Machine Credentials section in Settings and click Revoke. Access is cut off immediately. Generate a new credential when you need to restore access, and update the secret in your pipeline.