OAuth & permissions
AxHub MCP's OAuth login, tenant boundary, and permission scope
AxHub MCP is built on OAuth 2.1. The client handles the standard flow for you, so there's almost nothing to configure by hand.
Login flow
- The client is registered via automatic registration (DCR) — you don't create a
client_idor secret. - Authorization uses Authorization Code + PKCE (S256).
- On first connect, a browser opens for login and consent; a token is issued and the client handles refresh afterward.
- Redirects are restricted to loopback (local) addresses.
Tenant boundary
One session is bound to a single tenant, determined from the signed-in user's membership.
| User state | Behavior |
|---|---|
| One tenant membership | connects to that tenant automatically |
| Multiple memberships | pick a tenant at login |
| No membership | no access |
| Membership revoked after connecting | blocked on the next refresh |
A tenant value sent by the client is not trusted — the server binds the tenant from the verified token claim. The server also never forwards your client token to the backend; it exchanges it for a delegation token scoped to that tenant.
Permission scope
- Issued tokens carry the
data:readscope — read-only. - There are no write or admin tools.
- Every read runs within the access rights the signed-in user already has.
Tokens and errors
| Condition | Response |
|---|---|
| Missing / expired / invalid token | 401 — the client logs in again |
Missing data:read scope | 403 (insufficient_scope) |
401 and 403 responses carry a standard WWW-Authenticate header and the metadata location, so the client handles re-authentication automatically.