Workspace operations workflow
Use the control plane to prepare a workspace, then use REST and MCP against the app plane with scoped credentials.
Use case
An operator is setting up a workspace for a product/services company. They need modules, API keys, MCP clients, billing usage visibility, webhook subscriptions, auditability, and usage visibility before inviting an agent into the workflow.
Flow
- Create or select the tenant and workspace.
- Enable the modules needed for the workflow: CRM, Support, Tasks, CMS, Files and Media, Integrations, Analytics Governance, Data & Insights, and Activity Log.
- Create a workspace API key for server-side REST calls.
- Create a static MCP client token or use WorkOS/AuthKit OAuth based on the workspace MCP auth policy.
- Register webhook endpoints for business events the workspace wants to receive.
- Confirm included monthly usage, prepaid usage balance, monthly cap behavior, and any account override.
- Run a first REST or MCP write and inspect the request ID in audit and usage.
Credential setup
Create separate credentials for separate jobs. For example:
| Credential | Surface | Scope set |
|---|---|---|
server-webhook-sync | REST API key | integrations:read, integrations:write, activity:write |
founder-agent | MCP client | support:read, support:write, crm:read, crm:write, tasks:write, cms:write, assets:read, activity:write, bi:read |
analytics-bot | MCP client | analytics:read, analytics:write, bi:read, bi:write |
Credentials resolve to one workspace. A credential cannot access another workspace just because it belongs to the same Team or WorkOS organization.
Billing and webhooks
Billing usage balance, metered usage, and cap state are control-plane concerns. Billable REST, MCP, storage, webhook, workspace, and credential operations can pause when usage balance is exhausted or a monthly cap is reached. Dashboard visibility, billing recovery, credential revocation, audit review, and data reduction controls remain available.
Webhook configuration also lives in the control plane, while delivery events are app-plane integration records. Create endpoints with the Integrations module enabled, verify signed test delivery, then inspect delivery attempts and retries.
Verify
- Disabled module calls fail even when a credential has a matching scope.
- Missing scopes fail even when the module is enabled.
- REST and MCP calls emit request IDs, audit events, and usage events.
- Billing usage state is visible before and after workflow tests.
- Webhook delivery attempts show status, retry state, and signing metadata.