Runbook — Client Onboarding (stub)
This is a stub. The full runbook is promoted to docs/operations/client-onboarding.md in Phase 4.
What this runbook covers
End-to-end procedure for taking a new client from “approved by the owner” to “actively using the MCP server”, and the inverse for offboarding.
Outline
Pre-flight
- Confirm written approval from the owner (file the approval ticket / email).
- Decide the client’s slug (kebab-case, e.g.
acme-corp) and which phone numbers they’ll be granted on.
Onboard
admin clients create --name <slug> --display-name "<Display Name>".- For each phone number the client may use:
admin grants add --client <client-id> --phone <phone-id> --tools "send_message,get_messages,..." [--daily-cap N]. admin keys mint --client <client-id> --label "<context>" --scopes "tools:<...>,numbers:<...>" [--expires 90d] [--rpm 60] [--daily 250].- Capture the full
wamcp_live_...token (printed to stderr, one time only). - Hand the token to the client via a secure channel (1Password share, age-encrypted file, in-person). Never email / chat the raw token.
- Send the client: the MCP server URL (
https://wa.<yourdomain>/mcp), the granted phone numbers, the allowed tools, and a copy of docs/api/mcp-tools.md.
Verify
- Confirm the client can
tools/listand callping. - Confirm a
send_messageto a granted number succeeds. - Confirm an out-of-scope call (e.g. ungranted tool) returns the expected error.
Rotate
- Quarterly or on suspicion:
admin keys rotate <key-id> [--grace 7d]. Hand the new token over via the secure channel.
Offboard
admin clients disable <client-id>— instantly blocks all auth attempts.admin keys revoke <key-id>for each of the client’s keys.admin grants revoke --client <client-id> --phone <phone-id>for each grant.- Notify the client.
- Optional: schedule retention bump on
messages/audit_logfor compliance.
Open items
The full runbook will include screenshots of the admin CLI output, a one-page Markdown handout for new clients, and the exact wording of the secure-handover template.