Picmim works with external AI agents such as Claude Desktop, Cursor, and ChatGPT through the Model Context Protocol (MCP). Once connected, an agent can read your accounts, posts, calendar, media library, and analytics, and, if you allow it, create and schedule content on your behalf.
What you can do
A connected AI agent acts like a teammate with limited access. It can look up your connected accounts, find and draft posts, spot gaps in your calendar, pull media from your library, generate images, and answer questions about your analytics. You stay in control because every action the agent can take is one you granted through its access token.
- Read what is in your workspace, including accounts, posts, calendar, and analytics.
- Draft and schedule posts when the token has write access.
- Suggest posting times based on your calendar gaps.
- Summarize analytics and explain performance in plain language.
Before you start
MCP access is turned on per workspace. If you do not see the MCP Access section in Settings, your workspace or plan may not have it enabled yet.
- Sign in to your Picmim workspace.
- Open Settings and look for MCP Access.
- Make sure your social accounts are already connected. Accounts are connected inside Picmim, not through the AI agent.
Nasvet: Agents can list and use accounts that already exist in Picmim. Adding a new social account still happens in the app because it requires a browser sign-in.
Create an access token
An access token is the password your AI agent uses to reach your workspace. Each token belongs to one workspace and one member.
- Go to Settings, then MCP Access.
- Click Generate token.
- Give it a name that matches the agent, such as Claude Desktop.
- Choose a scope: read or write.
- Pick an expiry, then generate the token.
- Copy the token immediately. You will not be able to see it again.
Opozorilo: Treat the token like a password. Anyone who has it can access your workspace with the scope you chose. You can revoke it at any time.
Read vs write access
Each token has a scope that decides what the agent can do.
- Read lets the agent view accounts, posts, calendar, media, and analytics, but it cannot change anything.
- Write also lets the agent create and edit posts, import media, and generate images.
- Choose read unless you specifically want the agent to create or change content.
Connect an agent
Picmim exposes a single MCP endpoint and a ready-to-copy configuration block on the MCP Access settings page. Use that block so the endpoint and token are always correct.
- Open Settings, then MCP Access.
- Click Copy config to copy the client configuration block.
- Open your agent's MCP server settings, for example the Claude Desktop config file or the Cursor MCP panel.
- Paste the configuration and save it.
- Restart the agent if it does not reload automatically.
{
"mcpServers": {
"picmim": {
"type": "http",
"url": "<endpoint from your MCP Access settings page>",
"headers": {
"Authorization": "Bearer <your-token>"
}
}
}
}
Nasvet: Prefer the Copy config button on the settings page over writing the block by hand. It includes the correct endpoint and formatting for each supported client.
Security and control
Tokens are designed to be safe to create, share within your team, and revoke.
- Only a hashed version of the token is stored, so it cannot be read back.
- Every request re-checks that the token owner is still a member of the workspace.
- Revoke a token from MCP Access to instantly cut off the agent.
- Set an expiry so long-lived tokens expire on their own.
- Check Last used to spot whether a token is still actively in use.
Opozorilo: If a token may have leaked, revoke it immediately from Settings, then MCP Access, and generate a new one.
If it is not working
Most connection problems come from a small number of causes.
- Missing Bearer prefix: the Authorization header must start with the word Bearer, followed by a space and your token.
- Expired or revoked token: generate a new one from MCP Access.
- Wrong scope: creating or editing content needs a write token.
- Local HTTPS certificate: when testing against a local Picmim, your agent may need to trust the local certificate or skip certificate verification.
Nasvet: If the agent connects but cannot do something, check the token scope first. Read tokens intentionally hide write actions.