OAuth 2.1 for MCP — connect any client in one click
Gigamcp ships with a full OAuth 2.1 + Dynamic Client Registration authorization server baked into every workspace. If your MCP client speaks OAuth (Claude.ai Custom Connectors, ChatGPT Connectors, recent Cursor builds, custom LLM agents using the official MCP SDK), you don’t have to mint a long-lived API key — the client opens a browser, you click Authorize once, and the connection is live.
Why OAuth, not an API key?
- One click for the user. No copying tokens between Settings tabs and config files.
- Short-lived access tokens. 15-minute JWTs (RS256) signed by gigamcp, rotated automatically by the client.
- One-click revoke. Sign an app out from
/app/connected-appsand every refresh token belonging to that grant is invalidated within seconds. - Resource-scoped.Tokens are bound to your workspace URL via RFC 8707 Resource Indicators — a token issued for tenant A literally cannot be replayed against tenant B.
- Granular scopes. A read-only research client can request just
mcp:read; a coding agent that calls tools requestsmcp:toolson top of that.
Discovery URL
MCP clients that support OAuth auto-discover the authorization server by reading two well-known JSON files. You almost never need to enter these URLs manually — the client picks them up after you paste your workspace MCP URL. They’re here for operators integrating custom clients.
https://app.gigamcp.io/.well-known/oauth-authorization-server
https://app.gigamcp.io/.well-known/oauth-protected-resourceConnection recipe
- In your client’s “Add MCP server” UI, enter your workspace URL: e.g.
https://app.gigamcp.io/t/acme/mcp. Replaceacmewith your actual workspace slug. - The client hits the URL, sees a
401 Bearerresponse with aWWW-Authenticateheader pointing to our discovery URL, and follows it to register itself (Dynamic Client Registration, RFC 7591) and start an authorize flow. - A browser tab opens at
app.gigamcp.io/oauth/consent. Sign in with your gigamcp account if you aren’t already, then click Authorize after reviewing the requested scopes. - The browser bounces back to your client. The connection is live; subsequent requests use short-lived JWT access tokens that the client refreshes automatically.
Supported scopes
| Scope | What the client can do |
|---|---|
mcp:read | List tools, resources, prompts. Read prompt content. |
mcp:tools | Invoke tools (e.g. search_company_rag). |
mcp:resources | Read and subscribe to MCP resources. |
Any combination is fine. The consent screen always shows you what the client requested before you grant.
Reviewing and revoking
Visit Connected apps in your workspace. Each row is one granted (user, app) pair. Hit Revoke and the app stops working within 15 minutes (the access-token TTL); the underlying refresh token is killed instantly.
Headless / CI use cases
OAuth is the right answer for interactive AI clients. For automation that runs without a human (CI jobs, scheduled scripts, internal bots), use Machine tokens instead. Default expiry is 90 days, max 1 year.
Troubleshooting
- 401 with no
WWW-Authenticateheader. Your URL is missing the tenant slug. Use/t/<slug>/mcp, not/mcp. - The browser opens but redirects to the wrong workspace. Switch workspaces in the gigamcp app first, then retry the authorize flow.
- The client says “invalid_token: audience does not match”. You’re reusing a token across workspaces. Each workspace mints its own resource-bound token; reauthorize.
- The consent screen never loads. Cookie-blocking extensions (e.g. aggressive privacy tools) can break the WorkOS login round-trip. Try a clean browser profile.