MCP: OAuth
Set up OAuth 2.1 authentication for MCP servers in Flapjack. Automatic token refresh and encrypted storage.
Some MCP servers require OAuth authentication. Flapjack supports the full OAuth 2.1 flow with PKCE, automatic token refresh, and encrypted token storage.
How OAuth Works in Flapjack
1. Start OAuth flow β Flapjack generates PKCE challenge
2. User redirected to MCP server's auth page
3. User authorizes access
4. Callback to Flapjack with auth code
5. Flapjack exchanges code for tokens
6. Tokens encrypted and stored
7. Auto-refreshed 2 minutes before expiry
Starting the OAuth Flow
Via Dashboard
- Add an MCP server that requires OAuth
- Click Connect with OAuth
- Authorize in the popup
- Connection confirmed automatically
Via API
Note: OAuth endpoints require user authentication (Supabase JWT). API keys (fj_live_*) are rejected.
curl -X POST https://api.flapjack.dev/api/mcps/{mcpId}/oauth/start \
-H "Authorization: Bearer <supabase-jwt>" \
-H "Content-Type: application/json" \
-d '{
"clientId": "your-oauth-client-id",
"authorizeUrl": "https://provider.com/oauth/authorize",
"tokenUrl": "https://provider.com/oauth/token",
"scope": "read write"
}'
Response:
{
"authorizationUrl": "https://provider.com/oauth/authorize?client_id=...&code_challenge=..."
}
Redirect the user to this URL. After authorization, the callback is handled automatically.
π Copy as prompt
Start an OAuth flow for my Flapjack MCP server. POST to
/api/mcps/{mcpId}/oauth/startwith the OAuth client ID, authorize URL, token URL, and scopes.
OAuth Security
| Feature | Implementation |
|---|---|
| PKCE | SHA-256 code challenge (512-bit entropy) |
| State parameter | AES-encrypted with server-side validation |
| Token storage | AES-256-GCM encrypted at rest |
| Refresh | Automatic, 2 minutes before expiry |
| Transport | HTTPS only |
Token Refresh
Flapjack automatically refreshes OAuth tokens before they expire. When a tool call is made:
- Flapjack checks if the token expires within 2 minutes
- If so, refreshes using the stored refresh token
- Encrypts and stores the new tokens
- Proceeds with the tool call using the fresh access token
No manual intervention needed.
Supported OAuth Providers
Any OAuth 2.0/2.1 compatible provider works. Common examples:
- GitHub
- Google Workspace β Gmail, Calendar, Drive, Sheets, Contacts, Tasks (managed MCP with incremental consent)
- Slack
- Microsoft (Azure AD)
- Custom OAuth providers
Troubleshooting
| Issue | Solution |
|---|---|
| OAuth flow fails | Verify client ID, authorize URL, and token URL |
| Token refresh fails | Check that the refresh token hasn't been revoked |
| "invalid_grant" error | Re-authorize β the grant may have expired |
| Redirect mismatch | Ensure callback URL is registered with the provider |
Next Steps
- MCP: Connecting Servers β add servers
- MCP: Building Tools β create custom MCP tools
- API: MCP Servers β endpoint reference