Set up AI agent access and MCP

Step-by-step guide

1. 1Open Settings, then AI agents. New clinics start with agent access disabled.
2. 2Enable AI agent access only after the clinic owner has reviewed the allowed actions and security policy.
3. 3Choose whether authorized agents can book appointments, reschedule appointments, cancel appointments, or only read appointment information.
4. 4Keep user confirmation enabled for bookings and changes unless the clinic has a documented reason to allow unattended writes.
5. 5Use staff approval for agent-created bookings when practitioners need to review requests before they are confirmed.
6. 6Set booking lead time, cancellation notice, and hold duration so agents cannot reserve inappropriate last-minute slots.
7. 7Keep invoices, forms, and client notes hidden from agents unless the clinic has completed a privacy review for those data types.
8. 8Register only trusted agent clients with approved redirect URLs and the minimum scopes needed for their use case.
9. 9Share the machine-readable discovery endpoints with reviewed developers: /.well-known/appointa-agent.json, /agent/openapi.json, and /agent/mcp.
10. 10Monitor agent action logs for denied scopes, failed attempts, unusual booking activity, and revoked consent grants.
11. 11If a client reports unwanted agent activity, revoke the consent grant from the agent consents view and review the audit log before re-enabling access.