MCP

The SaaS Manager APIs are available via an MCP server. 

To use this, first log in to SaaS Manager as an administrator and create an API client chosing Client-credentials.

You have two ways to use MCP – either Remote or Local. 

If you're running the AI tool locally on your laptop we strongly recommend using Local MCP. Although this involves running a small executable, it makes token management and configuration with various desktop and command-line clients much easier.

Remote MCP

The Remote server only allows read-only actions.

The underlying MCP specification supports either Bearer token authentication or OAuth DCR (Dynamic Client Registration). Currently SaaS Manager does not support DCR, so the only option to authenticate is Bearer token.

For security reasons, SaaS Manager does not directly issue a Bearer token. Instead it supports OAuth Client-credentials authentication which is a two-step process to authenticate. First the long-lived credentials are presented, and then a short-lived Bearer token is returned. This Bearer token is valid for approximately 1 hour, and must be manually generated, e.g. using curl:

curl -s -u "<CLIENT_ID>:<CLIENT_SECRET>" -d grant_type=client_credentials \
    https://trelica.app/connect/token | jq -r .access_token

or if your credentials are in 1Password:

curl -s -u "<CLIENT_ID>:$(op read --account MyCompanyAccount
    'op://employee/SM MCP Creds/password')" \
    -d grant_type=client_credentials \
    https://trelica.app/connect/token | jq -r .access_token

Substitute trelica.app for trelica.eu if your tenant is running in our European hosting environment.

This token can then be used with your the AI tool. Some installed clients, like Claude Desktop require a bridge such as the mcp-remote tool to work with remote server.

Configure your tool to connect to either

• https://mcp.1password.com/trelica/mcp
• https://mcp.1password.eu/trelica/mcp

The disadvantage of this approach is that the token will need re-generating every hour, and the AI tool reconfiguring.

A more practical alternative is to use a local MCP server.

Local MCP

You need to install a small MCP server locally.

For Windows this downloads an executable. On macOS there's a small installer which will install the sm-mcp tool to /usr/local/bin/sm-mcp. 

Open Terminal (macOS) or the command line (Windows) and run the steps below.

1. Authenticate

   sm-mcp login --host trelica.app --client-id <CLIENT_ID>

   You will be prompted to enter the Client secret.

   Alternatively you can use --client-secret-stdin to securely pass credentials via the command line:

   echo '<secret>' | sm-mcp login --host trelica.app \
       --client-id <client_id> --client-secret-stdin

   This is a one-off step. The credentials will be securely stored in your macOS Keychain or in Windows Credential Manager.

   If you have your API credentials already in 1Password you can combine this with the op tool as follows:

   OP_ACCOUNT=MyCompanyAccount sm-mcp login --host trelica.app \
       --client-id <client_id> \
       --client-secret-op "op://employee/SM MCP Creds/password"

   Notice how we're using the OP_ACCOUNT environment variable to specify the account if you've got several 1Password accounts (e.g. Work / Family).

2. Connect the MCP to your AI client using the sm-mcp install <ai-client>

   Currently supported clients:

   • claude (desktop)
   • claude-code
   • cursor
   • vscode
   • codex
   • copilot
   • factory-droid
   • opencode

   e.g. for Claude Desktop use:

   sm-mcp install claude

   Then fully restart the AI client.

   If your client is not in the list then you'll need to check the documentation for how to configure local stdio MCP servers.

Under the hood this will configure the AI client to call sm-mcp serve --enable-writes.