6 min read

Permissions & Limits

This page covers how access control, rate limiting, and error handling work for the Zenovay MCP integration.

OAuth Scopes

When you authorize an MCP client, you choose permission levels for each tool category. These are represented as OAuth scopes in the format {category}:{level}.

Permission Levels

Level	Description
None	No access — tools in this category are hidden and blocked
Read	Query data, view analytics, export reports
Write	Read access plus creating, updating, and deleting resources

Available Scopes

Scope	Description
`analytics:read`	Query visitors, pages, traffic, geo, tech, real-time data
`advanced:read`	Query funnels, sessions, heatmaps, errors, revenue, uptime
`advanced:write`	Create/delete uptime checks
`ai_insights:read`	Query AI insights, anomalies, digests, recommendations
`management:read`	List websites, goals, funnels, settings, reports
`management:write`	Create/update/delete goals, funnels, websites, API keys
`settings:read`	View exclusions, notifications, team members, domains
`settings:write`	Manage exclusions, notifications, team members, domains
`webhooks:read`	List webhooks, deliveries, automation rules
`webhooks:write`	Create/delete/test webhooks

Shorthand scopes:

read — All categories at read level
write — All categories at write level (includes read)

Analytics and AI Insights are read-only categories — they have no write tools. The Write button is disabled for these during authorization.

Write-Protected Tools

The following tools require Write permission for their category. If you authorized with Read-only access, these tools return error code -32007:

Management (Write)

create_goal, update_goal, delete_goal, toggle_goal, manage_funnel, delete_funnel, update_website_settings, toggle_public_dashboard, toggle_cookieless_tracking, regenerate_tracking_code, update_website_name, update_website_timezone, update_website_domain, pause_tracking, resume_tracking, schedule_report, cancel_report, create_api_key, delete_api_key, update_api_key_settings

Settings (Write)

add_ip_exclusion, remove_ip_exclusion, add_path_exclusion, remove_path_exclusion, update_notification_settings, invite_team_member, remove_team_member, set_revenue_currency, add_allowed_domain, remove_allowed_domain, request_data_deletion

Advanced (Write)

create_uptime_check, delete_uptime_check

Webhooks (Write)

create_webhook, delete_webhook, test_webhook

All other tools work with Read access.

Changing Permissions

To change the permissions granted to an MCP client:

Revoke the existing token — In Settings > Usage, find the connected application and revoke it
Re-authorize — Your MCP client will prompt for authorization again
Select new permissions — Choose different Read/Write levels on the consent page

You cannot modify permissions for an existing OAuth token. You must revoke and re-authorize.

Plan-Gated Features

Certain tools are tied to features that require specific subscription plans:

Tool	Required Plan	Feature
`get_session_replays`	Pro+	Session Replay
`get_heatmap_data`	Pro+	Heatmaps
`get_revenue`	Pro+	Revenue Attribution
`get_retention_data`	Pro+	Retention Analysis
`export_data`	Scale+	Data Export

Calling a plan-gated tool on an unsupported plan returns error code -32002.

Data Retention Limits

Analytics queries are automatically clamped to your plan's data retention window:

Plan	Max History
Free	1 year (365 days)
Pro	2 years (730 days)
Scale	4 years (1,460 days)
Enterprise	Custom

Rate Limits

Daily Query Limit

Each team has a daily MCP query budget. All connected applications share the same quota.

Plan	Queries / Day	Per-Minute Limit
Free	25	10 req/min
Pro	100	30 req/min
Scale	500	60 req/min
Enterprise	10,000	120 req/min

Usage resets at 00:00 UTC every day.

Query Cost

Tool	Cost	Reason
`query_analytics`	3	Natural language AI processing
`get_session_replays`	2	Heavy data retrieval
`get_heatmap_data`	2	Heavy data retrieval
All other tools	1	Standard queries

Checking Usage

Use the get_api_usage tool or check Settings > Usage in the dashboard:

Check remaining quotaJSON

{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
  "name": "get_api_usage",
  "arguments": {}
}
}

Error Codes

Standard JSON-RPC Errors

Code	Name	Description
`-32700`	Parse Error	Invalid JSON in request body
`-32601`	Method Not Found	Unknown method or tool name
`-32602`	Invalid Params	Missing or invalid tool parameters
`-32603`	Internal Error	Server-side error

Zenovay MCP Errors

Code	Name	Description	Resolution
`-32001`	Auth Failed	Invalid or expired OAuth token	Re-authorize your MCP client
`-32002`	Tier Required	Feature requires a higher plan	Upgrade at app.zenovay.com/plans
`-32003`	Rate Limited	Daily query limit exceeded	Wait until 00:00 UTC or upgrade
`-32004`	Not Found	Resource not found	Check the ID parameter
`-32005`	Feature Unavailable	Feature not available on your plan	Upgrade your plan
`-32006`	MCP Not Enabled	Legacy error (API keys no longer accepted)	Use OAuth 2.1 to connect
`-32007`	Write Required	Tool requires write permission	Re-authorize with Write access
`-32008`	Category Disabled	Tool category not enabled	Re-authorize and enable the category

Error Response Format

Error responseJSON

{
"jsonrpc": "2.0",
"id": 1,
"error": {
  "code": -32007,
  "message": "Tool 'create_goal' requires write permission for the 'management' category. Re-authorize with management:write scope."
}
}

Security

OAuth 2.1 provides several security advantages over API keys:

No secrets to manage — Tokens are issued automatically, no key to copy/paste
Granular scopes — Grant only the permissions each client needs
Token expiration — Access tokens expire after 1 hour and refresh automatically
Instant revocation — Revoke a client's access immediately from the dashboard
PKCE protection — Authorization codes can't be intercepted
Audit trail — See which clients are connected and when they last made requests

API keys (zv_*) are no longer accepted for MCP connections. All MCP clients must use OAuth 2.1. API keys continue to work for the REST API.