OAuth Connect
Authorize OAuth-protected MCP servers with one click.
How It Works
- Probe URL - The gateway detects the MCP server's auth requirements
- Authorize - You're redirected to the MCP's OAuth authorization page
- Fetch Capabilities - Tools, resources, and prompts are cached automatically
OAuth Modes
Dynamic Client Registration (DCR) - Recommended
The gateway automatically registers as an OAuth client with the MCP server. No Client ID or Secret needed - just click Connect and authorize.
Manual OAuth
For MCP servers without DCR support. Provide your OAuth credentials during MCP setup:
Client ID: your-client-id
Client Secret: ••••••••••
The gateway uses these credentials for the authorization flow. For provider-specific setup steps, see MCP Provider Setup.
OAuth Passthrough
Use OAuth passthrough when the downstream MCP client must perform OAuth directly with the upstream MCP provider. In this mode:
- The gateway relays or advertises upstream OAuth metadata.
- The client obtains the upstream provider's access token.
- The gateway accepts that upstream Bearer token on the direct per-MCP endpoint and forwards it upstream.
- The gateway does not store, refresh, or revoke the upstream token.
- The MCP is not exposed through OneMCP.
Inline OAuth in OneMCP
OneMCP can surface OAuth MCPs before a user has connected them. When a selected tool needs upstream authorization, OneMCP returns an isError: true tool result containing a short-lived connect URL. The user opens the URL, finishes authorization, returns to the agent, and retries the same request.
For the full OneMCP flow, see OneMCP.
Fetched Capabilities
After authorization, the gateway caches the MCP server's capabilities:
Re-Fetching Capabilities
If the MCP server adds new tools or updates its capabilities, click "Already connected? Click to fetch capabilities" in the Settings panel to refresh the cached capabilities without re-authorizing.