Skip to main content
Horizon provides a shared access layer for the servers your organization deploys and the platform resources your team manages. After authentication identifies a caller, Horizon uses the same organization membership, server roles, custom roles, and capability policies to decide what that caller can see, manage, or invoke. This moves access policy out of individual server implementations and into the platform path. Security and platform teams can make servers broadly discoverable, restrict sensitive deployments to explicit users or service accounts, and expose only the MCP capabilities each role should use. Authorization in Horizon has two related paths:
PathActorTargetMain question
Using MCP serversAn MCP client, agent, or automation calling a server endpointA hosted, remix, or external MCP server served through HorizonCan this actor use this server and requested MCP capability?
Managing HorizonA user, script, CI job, service account, or Terraform runThe Horizon dashboard or REST APICan this actor view or change this organization, server, member, key, or setting?
The same Horizon identity can appear in both paths, but the requested action is different. Calling a Horizon-served MCP endpoint lets a client use tools, resources, and prompts exposed by that server. Managing Horizon lets a user or service account change servers, members, API keys, builds, access settings, and organization settings. Authentication is separate. Authentication answers “who is calling?” Authorization answers “what is this caller allowed to do?” For the identity and credential path, see Authentication. Horizon evaluates authorization at three levels:

Organization

Determines whether the actor belongs to the organization and whether they can manage organization-wide settings such as members, billing, SSO, service accounts, and server roles.

Server

Determines whether the actor can discover, call, view, edit, deploy, or administer a specific server.

Capabilities

Determines which MCP tools, resources, and prompts are available to the actor’s server role.
Custom server roles are available on . Tool-level access is available on .

Request decision flow

When a protected MCP request reaches Horizon, the gateway checks access before the request reaches server code.
1

Identify the actor

Horizon authenticates the bearer credential and resolves it to a user or service account. Invalid, expired, revoked, or missing credentials fail before authorization.
2

Check organization membership

The actor must belong to the organization that owns the server. An actor in another organization cannot use that organization’s servers.
3

Resolve server access

Horizon resolves the actor’s effective server role from organization privileges, explicit server grants, and the server’s default role.
4

Apply capability access

If the server has tool-level access configured, Horizon filters tools, resources, and prompts by the actor’s effective server role.
5

Forward or reject

Allowed requests continue to the server. Denied requests stop at the gateway.
Disabling Horizon authentication removes Horizon gateway authentication and server access checks for that hosted server endpoint. Do so only when the endpoint is intentionally public or the server implements its own authentication and authorization. This is available only for hosted servers; remix servers and external servers always keep Horizon authentication enabled.

Actors

An actor is an identity that can authenticate, hold access, and own API keys. Horizon supports two actor types:
Actor typeUsed forHow access is evaluated
UserPeople using the dashboard, REST API, playground, or MCP clientsOrganization role, explicit server grants, server default role, and capability access
Service accountAutomation, CI/CD, Terraform, and non-human clientsThe same organization and server access model as users
API keys inherit access from the actor that owns them. If a user or service account loses organization membership, server access, or a role permission, requests made with that actor’s API keys lose the same access. Revoking an API key only disables that key; it does not change the owner’s role.

Organization roles

Organization roles control organization-wide management permissions.
RoleContract
AdminCan manage organization settings and has full access to every server in the organization. Horizon evaluates organization admins as the admin server role for server and capability access.
MemberCan read basic organization information and can access servers according to explicit server grants or server default roles.
An organization admin cannot be hidden from a server in that organization. Use the admin role only for people and service accounts that should have broad administrative access.

Server roles

Server roles control what an actor can do with an individual server after they have access to it.
RoleSlugServer managementMCP endpoint access
AdminadminFull server access, including access management, configuration, builds, permissions policies, and deletion.Can call the server and all capabilities. The admin role stays allowed in capability policies so administrators can recover access.
EditoreditorCan view and update server configuration, create builds, and edit permissions policies. Editors cannot grant or revoke server access and cannot delete the server.Can call the server. Capability policies can allow or deny specific tools, resources, and prompts for this role.
ViewerviewerCan view the server, its access list, and its permissions policy. Viewers cannot modify the server.Can call the server. Capability policies can allow or deny specific tools, resources, and prompts for this role.
Built-in server roles are available in every organization and cannot be edited. Custom server roles let you define additional server roles with specific server permissions for your organization. Use the role slug in policies and API payloads. No Access is a server default setting, not a role slug.
Server roles are not hierarchical in capability policies. If both viewer and editor should access a capability, both roles must be allowed. Use * only when every server role should have access.

Server access resolution

For a member who is not an organization admin, Horizon resolves server access in this order:
StepResult
Explicit server grantIf the actor has an explicit grant on the server, Horizon uses the role on that grant.
Default server roleIf there is no explicit grant and the server has a default role, Horizon gives that role to the rest of the organization.
No accessIf there is no explicit grant and no default role, the actor cannot access the server.
The server default role is the organization-wide visibility setting for a server. Set it to Viewer, Editor, Admin, or a custom role to make the server available to all organization members at that level. Set it to No Access to restrict the server to actors with explicit grants. Explicit grants are useful for exceptions. For example, a server can default to Viewer for the organization while granting Editor to the team that deploys it. Removing an explicit grant falls back to the server default role, if one is configured.
A permissive default role applies to every current and future organization member. Use No Access when a server should be limited to a specific set of users or service accounts.

Custom server roles

Custom server roles are scoped to one organization. Use them when the built-in Admin, Editor, and Viewer roles are too broad for a server management workflow. Each custom role has:
FieldPurpose
NameA stable slug used by policies and API responses. The name is set when the role is created and cannot be changed later.
LabelThe human-readable role name shown in the dashboard.
PermissionsThe server-level actions the role can perform.
Custom roles can be used anywhere server roles are used: explicit server grants, server default roles, and capability-level access policies.
Use custom roles for operational boundaries such as deploy-only automation, read-only auditors, or users who can edit permissions without being full organization admins.

Capability-level access

Capability-level access controls which MCP tools, resources, and prompts are available to each server role. It is configured from a server’s Settings pages after Horizon has a manifest for the server. For hosted servers, saved capability policy changes apply to the dashboard immediately, but live MCP endpoint traffic uses the updated policy after the next deployment. Server explicit grant changes and server default role changes do not require a code change or rebuild. Capability access has two layers:
LayerWhat it controls
Default permissionsWhich roles can access tools, resources, and prompts by default.
Capability overridesPer-tool, per-resource, and per-prompt exceptions from the default.
When no capability policy is configured, the server’s capabilities are not filtered by tool-level access. After a capability policy is configured, any tool, resource, or prompt without a matching default or override is denied. Per-capability overrides can:
OverrideEffect
DefaultInherit the server’s default capability permissions.
All rolesAllow every server role.
One or more rolesAllow only the listed roles.
Horizon keeps the admin server role allowed in capability policies. Organization admins and server admins can recover access to server capabilities.
Capability policies apply to MCP tools, MCP resources, resource templates, and MCP prompts. Resource templates use the resource access settings.

Applying changes

Authorization changes have different lifecycle boundaries depending on what you change.
ChangeWhen it affects Horizon managementWhen it affects MCP endpoint traffic
Organization role changeOn the next authenticated dashboard or API request.On the next authenticated MCP request that resolves the actor’s current access.
Server explicit grant changeAfter the change is saved.After Horizon updates the live deployment’s access metadata. No code change is required.
Server default role changeAfter the change is saved.After Horizon updates the live deployment’s access metadata. No code change is required.
Capability policy changeAfter the change is saved in Horizon.For hosted servers, after redeploying the server so the deployed endpoint uses the updated policy.
API key revocationImmediately stops that key from authenticating.Immediately stops that key from authenticating.
For hosted servers, if you save default capability permissions or a capability override, redeploy the server before expecting MCP clients to see the new tool, resource, or prompt availability.

Common outcomes

Horizon authenticated the actor, found organization membership, resolved an effective server role, and allowed the requested server or capability.
Authentication failed before authorization. Check the bearer credential, API key state, token expiration, and target organization.
Authentication succeeded, but authorization denied access to the organization, server, or requested capability. Check the actor’s organization role, explicit server grants, the server default role, and capability policy.
The server or deployment does not exist, or Horizon is concealing a server from a caller without discovery access.
The actor may have server access but not capability access. Check the server’s default capability permissions and any per-capability overrides, then redeploy hosted servers if the policy was changed.

Operational guidance

For production servers, keep Horizon authentication enabled and use server roles to control who can manage or call it. Prefer service accounts with narrowly scoped server grants for automation. Use No Access as the default role for sensitive servers, then grant explicit access to the users and service accounts that need them. Use a Viewer default for broadly discoverable servers where most users should be able to inspect or call safe capabilities. Use capability-level access for high-impact tools, sensitive resources, and prompts that should not be available to every server user. Keep destructive or write-capable tools restricted to roles that are meant to perform those actions.

Authentication

Learn how users, service accounts, MCP clients, and API keys prove identity.

Gateway

Learn where authentication and authorization run in the request path.

Members

Invite, remove, and manage people in your organization.

API keys

Create, rotate, and revoke bearer credentials.

Limits

Review product limits that can affect server requests.