Skip to main content
Tenant admins manage OAuth tokens issued to MCP clients (Claude, Cursor, Windsurf, ChatGPT, etc.) under Admin → Settings → OAuth Connections.

What you see

Each row is a single access token issued through the OAuth authorization-code flow. Columns:
  • Application — the human-readable name of the client (e.g. Claude (Anthropic)) and its client_id underneath.
  • Owner — the email of the staff member who approved the connection. This is the person whose access the token acts as.
  • Scopes — the AGO permissions the owner granted to this client (e.g. knowledge:read). These reflect what the owner selected on the consent screen, which may differ from what the client originally requested.
  • Created — when the token was issued.
  • Expires — access tokens expire after 1 hour. Claude Web refreshes them automatically using a 30-day refresh token; the row may rotate frequently.
The page lists every connection in your workspace, not just your own, so an admin can see who connected what.

Revoke a token

Click Revoke next to the token, then confirm. The token is invalidated immediately and the next API call from that client returns 401. The user will need to reconnect from their MCP client to regain access.

What revoking doesn’t do

  • It does not sign the user out of AGO.
  • Active server-sent-event (SSE) streams already in flight may continue until the client reconnects (cap: a few minutes). Non-SSE requests fail immediately.
  • Revoke is per-token, not per-client. If a single user has multiple tokens (e.g. tested across browsers), revoke each one.

When to revoke

  • A user leaves the company → revoke their tokens to prevent stale access.
  • A laptop is lost → revoke all tokens issued to that user.
  • A scope was granted by mistake → revoke and have the user reconnect with the correct scopes.

Permissions

Only users with staff-level privileges (assigned via Administration > User Management) see this page.

Audit logs

Every OAuth-authenticated MCP call is recorded in the public API audit log alongside the application, the user who consented, and the scopes carried by the token. Open the audit view from Administration to filter by application or user when investigating activity.