Safety tiers

FunnelFizz MCP gates every write tool behind one of three tiers. The higher the tier, the more upfront confirmation is required. Reads (T0) have no gate — your agent can call funnel.get_metrics or team.list_members without ceremony.

T0 — Reads

Anything list_*, get_*, or stage.drilldown / funnel.drilldown is T0. They:

Require only that your API key has the matching scope (read for most reads, setup for setup-status checks).
Are filtered at tools/list time: if your key can't call a tool, the tool is hidden from your agent's tool catalog. No surprises.
Have no expiry, no confirmation step.

T1 — Mutations with target_token

Any tool that changes data outside a draft is T1. Examples: funnel.split.create, email.draft.send_now, automation.activate, tracking.site.delete, email.template.delete.

T1 has two flavors depending on what you're targeting:

Funnel-scoped (the common case)

Used for funnel structure changes, sends, automation activation — anything bound to a specific funnel.

1. Agent: funnel.resolve_by_name({ query: "onboarding" })
   → returns ranked matches with stage summaries and a `suggestion` field

2. Agent shows matches in chat. User picks. (Agents must NEVER auto-select,
   even on a single exact match.)

3. Agent: funnel.confirm_target({ funnelId: "...", action: "funnel.split.create" })
   → returns a 10-minute, single-use, action-bound target_token

4. Agent: funnel.split.create({ funnelId, ..., targetToken })
   → mutation runs; token is consumed

Entity-scoped (deletes and disconnects)

Used for high-impact non-funnel writes — deleting a tracking site, an email template, a sender, a domain, or disconnecting an integration.

1. Agent: tracking.site.list()
   → enumerate, show user, ask which to delete

2. Agent: confirm_target({
      targetType: "tracking_site",
      targetId: "site-id",
      action: "tracking.site.delete"
   })
   → returns a 10-minute target_token bound to (type, id, action)

3. Agent: tracking.site.delete({ id, targetToken })
   → site deleted; token consumed

Low-stakes workspace writes

For routine workspace config (brand color, profile name, email template create and update, sender config), no token is needed. The write scope is enough; the user has already confirmed in chat by asking the agent.

T2 — Admin code-paste

Workspace administration is the highest-trust tier. T2 actions:

Invite, remove, or change role of a team member
Cancel, resume, or change subscription plan
Create or revoke API keys
Transfer workspace ownership
Delete the workspace

These actions require an out-of-band confirmation code emailed to the API-key-holder's address. Browser-controlling agents (like Claude with computer use) can fetch the code automatically. Text-only agents ask the user to read the email and paste the code.

1. Agent: admin.request_action({
      action: "team.invite_member",
      subject: "[email protected]",
      summary: "Invite [email protected] as MANAGER"
   })
   → returns { requestId, expiresAt: "10min" }
   → server emails a 6-digit code to the API-key-holder

2. Agent tells user: "Check your email for a 6-digit code."
   User reads the email and pastes the code.

3. Agent: admin.confirm_action({ requestId, code: "482910" })
   → returns { adminToken, expiresAt: "10min" }

4. Agent: team.invite_member({
      email: "[email protected]",
      role: "MANAGER",
      adminToken
   })
   → invite sent; admin_token consumed

Why code-paste

Even if the agent is compromised by a prompt-injection attack, the attacker cannot perform a T2 action without access to the user's inbox. The two-channel handshake — agent in chat, code in email — is the only thing that resists agent compromise.

Failure modes

5 wrong code attempts → the request is consumed; agent must start a new one.
10 minutes elapse → code expires; restart.
Code matches but admin_token expires before use → re-request.

Failure visibility

Insufficient-scope and missing-token errors are returned as structured apiError objects with codes:

forbidden_scope — your key doesn't have the required scope (filtered out of tools/list if your role and plan allow none of the scopes for that tool)
missing_target_token / target_token_* — token issue (missing, expired, consumed, wrong action, wrong funnel, wrong target)
missing_admin_token / admin_token_* — code-paste handshake required

Your agent should surface these to the user with the specific reason so they understand whether to retry, upgrade their key, or restart the flow.

Browser handoffs — Stripe Checkout, portal, OAuth.
Admin actions — full code-paste walkthrough with screenshots.
Revert changes — undoing mistakes.

T0 — Reads​

T1 — Mutations with target_token​

Funnel-scoped (the common case)​

Entity-scoped (deletes and disconnects)​

Low-stakes workspace writes​

T2 — Admin code-paste​

Why code-paste​

Failure modes​

Failure visibility​

Related​