Permissions & Limits
This page covers how access control, rate limiting, and error handling work for the Zenovay MCP integration.
API Key Types
When creating an API key, you choose the access scope:
| Type | Description | list_websites returns |
|---|---|---|
| Full Access | Access all websites in your team | All team websites |
| Site Access | Access a single website only | Only the assigned website |
Site-scoped keys cannot query, modify, or even see other websites in the team. Every tool that takes a website_id parameter validates access before executing.
MCP Modes
Each API key can be configured with an MCP access mode:
| Mode | Description | Write Tools |
|---|---|---|
| Read Only (default) | Query analytics data, export, view insights | Blocked |
| Read & Write | Full access including creating goals and funnels | Allowed |
Write-Protected Tools
The following tools require Read & Write mode. They will return an error if the key is in Read Only mode:
create_goal— Create a custom conversion goalupdate_goal— Update an existing goaldelete_goal— Delete a goaltoggle_goal— Enable or disable a goalmanage_funnel— Create or update a conversion funneldelete_funnel— Delete a funnelupdate_website_settings— Modify website configurationtoggle_public_dashboard— Enable or disable public dashboard sharingtoggle_cookieless_tracking— Enable or disable cookieless tracking moderegenerate_tracking_code— Generate a new tracking code (invalidates the old one)delete_website— Permanently delete a website and all its dataadd_ip_exclusion— Add an IP address to the exclusion listremove_ip_exclusion— Remove an IP from the exclusion listadd_path_exclusion— Add a URL path pattern to exclude from trackingremove_path_exclusion— Remove a path exclusionupdate_notification_settings— Modify notification preferencesinvite_team_member— Invite a new member to the teamremove_team_member— Remove a member from the teamcreate_api_key— Create a new API keyrevoke_api_key— Revoke an API keyupdate_api_key_permissions— Update API key MCP permissionscreate_uptime_monitor— Create a new uptime monitordelete_uptime_monitor— Delete an uptime monitorupdate_website_name— Update website display nameupdate_website_timezone— Update website timezoneupdate_website_domain— Update website domainpause_tracking— Pause analytics trackingresume_tracking— Resume analytics trackingschedule_report— Schedule a recurring reportcancel_report— Cancel a scheduled reportset_revenue_currency— Set the revenue display currencyadd_allowed_domain— Add a domain to the CORS whitelistremove_allowed_domain— Remove a domain from the CORS whitelistrequest_data_deletion— Delete visitor data for GDPR compliance
All other tools work in both modes.
Feature Group Permissions
MCP tools are organized into 8 feature groups. Each group can be enabled or disabled independently per API key:
| Group | Tools | Description |
|---|---|---|
| analytics | query_analytics, get_visitors, get_top_pages, get_traffic_sources, get_geographic_data, get_technology_breakdown, get_realtime_visitors, compare_periods | Core analytics queries |
| advanced | get_funnel_analysis, get_goals, get_session_replays, get_heatmap_data, get_errors, get_b2b_companies, get_revenue, get_performance_metrics | Advanced feature data |
| ai_insights | get_insights, get_anomalies, get_weekly_digest, get_recommendations | AI-powered analysis |
| management | list_websites, create_website, delete_website, create_goal, update_goal, delete_goal, toggle_goal, manage_funnel, delete_funnel, list_funnels, list_goals, export_data, get_api_usage, get_website_settings, update_website_settings, toggle_public_dashboard, toggle_cookieless_tracking, get_tracking_code, regenerate_tracking_code, update_website_name, update_website_timezone, update_website_domain, pause_tracking, resume_tracking, schedule_report, get_report_schedule, cancel_report, get_export_history, get_data_retention | Website, conversion, & reporting management |
| api_keys | list_api_keys, create_api_key, revoke_api_key, get_api_key_details, update_api_key_permissions | API key management |
| uptime | list_uptime_monitors, get_uptime_status, create_uptime_monitor, delete_uptime_monitor, get_uptime_history | Uptime monitoring |
| settings | add_ip_exclusion, remove_ip_exclusion, add_path_exclusion, remove_path_exclusion, list_exclusions, get_notification_settings, update_notification_settings, set_revenue_currency, get_revenue_settings, add_allowed_domain, remove_allowed_domain, list_allowed_domains, request_data_deletion | Configuration, revenue settings, CORS, & GDPR |
| team | get_team_members, invite_team_member, remove_team_member | Team collaboration |
When a feature group is disabled, its tools will not appear in tools/list and calls to them will return an error.
Configure feature group permissions in Settings > API Keys > [Key] > MCP tab in your Zenovay Dashboard.
API Key Scope Requirements
Some tools have additional restrictions based on your API key type:
| Tool | Minimum Key Type | Notes |
|---|---|---|
delete_website | Full Access | Site-scoped keys cannot delete their own website |
invite_team_member | Full Access | Requires team-level access |
remove_team_member | Full Access | Requires team-level access |
get_team_members | Full Access | Requires team-level access |
regenerate_tracking_code | Either | Site-scoped keys can only regenerate their own website's code |
| All other tools | Either | Site-scoped keys are limited to their assigned website |
Plan-Gated Features
Certain tools are tied to features that require specific subscription plans:
| Feature | Required Plan | Tools Affected |
|---|---|---|
| Cookieless tracking | Pro+ | toggle_cookieless_tracking |
| Public dashboards | All plans | toggle_public_dashboard |
| Team management | Pro+ | invite_team_member, remove_team_member, get_team_members |
| IP/path exclusions | All plans | add_ip_exclusion, remove_ip_exclusion, add_path_exclusion, remove_path_exclusion, list_exclusions |
| Notification settings | All plans | get_notification_settings, update_notification_settings |
| Revenue settings | All plans | set_revenue_currency, get_revenue_settings |
| Allowed domains | All plans | add_allowed_domain, remove_allowed_domain, list_allowed_domains |
| Data deletion (GDPR) | All plans | request_data_deletion |
| API key management | Pro+ | list_api_keys, create_api_key, revoke_api_key, get_api_key_details, update_api_key_permissions |
| Uptime monitoring | Pro+ | list_uptime_monitors, get_uptime_status, create_uptime_monitor, delete_uptime_monitor, get_uptime_history |
| Scheduled reports | Pro+ | schedule_report, get_report_schedule, cancel_report |
If you call a plan-gated tool on a plan that doesn't support it, you'll receive error code -32002 (Tier Required). Upgrade your plan at app.zenovay.com/settings.
Plan Enforcement
Zenovay MCP enforces plan limits at the server level. This section covers feature gating, data retention windows, and resource quotas.
Feature-Gated Tools
The following tools require a Pro or higher subscription plan. Free plan users calling these tools receive error code -32002 with the message: "This feature requires a paid plan."
| Tool | Required Plan | Feature Flag |
|---|---|---|
get_session_replays | Pro+ | sessionReplay |
get_heatmap_data | Pro+ | heatmaps |
get_revenue | Pro+ | revenueAttribution |
export_data | Scale+ | dataExport |
get_retention_data | Pro+ | retentionAnalysis |
Feature flags are checked server-side and cannot be bypassed. Upgrade your plan at app.zenovay.com/settings to unlock gated tools.
Data Retention Limits
Analytics queries are automatically clamped to your plan's data retention window. If your query requests data older than your plan allows, the server adjusts the date range and includes a note in the response.
| Plan | Max History |
|---|---|
| Free | 30 days |
| Pro | 2 years (730 days) |
| Scale | 4 years (1,460 days) |
| Enterprise | Custom |
For example, a Free plan user can only query the last 30 days of data. Requesting a longer time_range is automatically clamped, and the response includes a retention_note field explaining the limitation.
Quota Limits
Resource creation is limited by plan. Attempting to exceed these limits returns error code -32002.
| Resource | Free | Pro | Scale | Enterprise |
|---|---|---|---|---|
| Websites | 1 | 5 | 10 | Unlimited |
| Team Members | 2 | 5 | 25 | Unlimited |
| API Keys | 3 | 10 | 50 | Unlimited |
| MCP Queries/Day | 25 | 100 | 500 | 10,000 |
Rate Limits
Daily Query Limit
Each team has a daily MCP query budget based on their subscription plan:
| Plan | Queries / Day | Cost per Query |
|---|---|---|
| Free | 25 | 1 (standard) |
| Pro | 100 | 1 (standard) |
| Scale | 500 | 1 (standard) |
| Enterprise | 10,000 | 1 (standard) |
Important: The daily limit is per team, not per API key. All API keys in the same team share the daily quota.
Usage resets at 00:00 UTC every day.
Query Cost
Most tools cost 1 query. The exception:
| Tool | Cost | Reason |
|---|---|---|
query_analytics | 3 | Uses natural language processing |
| All other tools | 1 | Standard database queries |
Per-Minute Rate Limit
In addition to the daily limit, there is a per-minute rate limit of 20 requests per minute per API key to prevent abuse.
Checking Your Usage
Use the get_api_usage tool to check remaining quota at any time:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "get_api_usage",
"arguments": {}
}
}The response includes mcp.queries_today, mcp.queries_limit, and mcp.reset_at.
Error Codes
MCP uses standard JSON-RPC 2.0 error codes plus custom Zenovay error codes:
Standard JSON-RPC Errors
| Code | Name | Description |
|---|---|---|
-32700 | Parse Error | Invalid JSON in request body |
-32600 | Invalid Request | Missing jsonrpc or method field |
-32601 | Method Not Found | Unknown method or tool name |
-32602 | Invalid Params | Missing or invalid tool parameters |
-32603 | Internal Error | Server-side error |
Zenovay MCP Errors
| Code | Name | Description |
|---|---|---|
-32001 | Authentication Required | Missing or invalid API key |
-32002 | Tier Required | MCP access requires a higher plan tier |
-32003 | Rate Limit Exceeded | Daily query limit reached |
-32004 | Permission Denied | API key lacks permission for this tool or feature group |
Error Response Format
{
"jsonrpc": "2.0",
"id": 1,
"error": {
"code": -32003,
"message": "Daily query limit exceeded. Upgrade at https://app.zenovay.com/settings"
}
}Common Error Scenarios
| Scenario | Error Code | Resolution |
|---|---|---|
| API key not found | -32001 | Check that the key starts with zv_ and is valid |
| MCP not enabled on key | -32001 | Enable MCP in API key settings |
| Feature group disabled | -32004 | Enable the feature group in MCP settings |
| Read-only key calling write tool | -32004 | Switch key to Read & Write mode |
| Daily limit reached | -32003 | Wait until 00:00 UTC or upgrade plan |
| Site-scoped key accessing wrong website | Tool error | Use the website ID assigned to this key |
| Invalid website UUID | Tool error | Use list_websites to find valid IDs |
Security Best Practices
- Use site-scoped keys when you only need to monitor a single website
- Keep keys in Read Only mode unless you need to create goals or funnels
- Disable unused feature groups to minimize the attack surface
- Rotate keys regularly — delete old keys and create new ones from the dashboard
- Never commit API keys to source control — use environment variables or secrets managers
- Monitor usage — check
get_api_usageperiodically for unexpected activity