First, the client discovers what the server supports.
Register your client to get a unique client ID.
Request authorization from a user. You'll see a consent page where users can approve access.
| parameter | description |
|---|---|
client_id |
OAuth client ID (required) |
redirect_uri |
Callback URL (required) |
state |
CSRF protection token (required) |
code_challenge |
PKCE challenge (required) |
auto_approve |
Set to true to skip consent and auto-generate user |
auto_approve_email |
Email for programmatic auth (requires password) |
auto_approve_password |
Password for programmatic auth (requires email) |
expires_in |
Token expiration in seconds (optional, default: no expiration) |
| field | description |
|---|---|
action |
auto (generate user) or login (email/password) |
email |
Email (required when action=login) |
password |
Password (required when action=login) |
Exchange the authorization code for an access token.
That's the complete OAuth flow. MCP clients do all of this automatically—you just experienced what happens behind the scenes.
Building your own MCP client? Use our mock MCP for testing.
Simple endpoint with no authentication.
Server information
JSON health check
Users created with email/password are saved. Auto-generated users are temporary.