Authentication
OAuth
MCP clients authenticate over OAuth. The handshake is the same for both servers — the public server (scope mcp:account) and the business server (scope mcp:business) — only the scope and what the token resolves to differ.
FlowDCR (RFC 7591)PKCERequired
The handshake
From an unauthenticated probe to a scoped call:
- 1Get challengedAn unauthenticated request to the MCP endpoint returns 401 with a WWW-Authenticate header pointing at /.well-known/oauth-protected-resource — the OAuth discovery document.
- 2Register the clientThe client self-registers via Dynamic Client Registration (RFC 7591, POST /oauth/register). Registered MCP clients are public, so they must use PKCE.
- 3ConsentYou approve the client on the consent screen — and, for the business server, pick which business it acts on. The token then resolves to your user.
- 4Call with the tokenSend the access token as a Bearer header and invoke tools over JSON-RPC. Your real permissions are enforced on every call.
bash
# 1. An unauthenticated MCP request is challenged:
# HTTP/1.1 401 Unauthorized
# WWW-Authenticate: Bearer resource_metadata="https://<host>/.well-known/oauth-protected-resource"
# 2. After discovery, registration, and consent, call with the token:
curl https://<host>/api/mcp \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <mcp-access-token>' \
--data '{"jsonrpc":"2.0","id":1,"method":"tools/call",
"params":{"name":"<tool>","arguments":{}}}'Scopes
Which server you point at determines the scope and identity:
mcp:accountConsumer (end-user) access on the public MCP server — the token acts as the signed-in viewer. Public MCP guide
mcp:businessStaff access on the business MCP server — the token acts as the signed-in staff member with their real role. Business MCP guide
The token is an access path, never an escalation — the schema still enforces your role. This is separate from the partner API-key scopes, which only reach the restricted external surface.