Per-tenant URLs
All endpoints are tenant-scoped via subdomain:
The MCP resource itself is
https://<tenant>.api.useago.com/api/v1/mcp.
Supported flow
- Grant type:
authorization_code - PKCE: required (
S256only —plainrejected) - Token format: opaque (not JWT)
- Access token TTL: 1 hour
- Refresh token TTL: 30 days, with rotation and a 30-second grace period (covers concurrent-refresh races from pipelined clients)
- Authorization code TTL: 60 seconds
- Public clients: yes — no
client_secretrequired whentoken_endpoint_auth_method=none - Per-tenant isolation: each tenant has its own database; a token issued in tenant A’s DB cannot be looked up from tenant B’s MCP URL — replay attempts return 401
What’s not (yet) supported
- Dynamic Client Registration (RFC 7591) — the
registration_endpointis intentionally absent from the metadata document. Register clients manually as below. - Client credentials / device flow — only authorization-code is implemented.
- OIDC ID tokens — the resource model is OAuth 2.1, not OIDC.
- Token introspection (RFC 7662) — not exposed to third parties.
Register a new MCP client
If you build an MCP client (Cursor, Windsurf, an internal agent), email support@useago.com with:- The product name (shown to end-users on the consent screen).
- A list of redirect URIs (HTTPS only, exact match).
- The scopes you’ll request by default.
- Whether you’re a public (no secret) or confidential (server-side, with secret) client.
client_id. We’re tracking demand — once a few more clients ask we’ll ship Dynamic Client Registration.
Sample auth-code flow (curl)
scripts/oauth_smoke.sh in the AGO repository.
Refresh
refresh_token arriving within 30 seconds both succeed. Outside that window, replaying an already-rotated refresh token revokes the entire chain (RFC 6749 §10.4 reuse detection).
