MCP Authentication
Vocci MCP uses OAuth. Users authorize a compatible client through a browser sign-in flow instead of copying credentials into configuration files.
Authorization can expire or be revoked. If a client receives 401 or 403, reconnect the user through OAuth instead of asking them to paste tokens.
OAuth Flow
OAuth-capable clients should:
- Connect to
https://mcp.vocci.ai/mcp. - Discover protected-resource metadata from the Vocci MCP server.
- Discover authorization-server metadata from the advertised issuer.
- Send the user through authorization and consent.
- Store the resulting authorization in the client's secure storage.
- Call MCP tools on behalf of the authorized user.
- Refresh or reconnect when authorization expires or access is revoked.
Hosted clients should not ask users to paste credentials manually. If a hosted client cannot complete OAuth, reconnect with a tested setup path.
What The Client Sends
After OAuth completes, the client handles request authorization automatically. Users should not copy browser session values, OAuth codes, or authorization headers into configuration.
Access Model
Vocci MCP authorization is user-scoped and read-only.
| Area | Expected behavior |
|---|---|
| User data | Only data the authorized account can access. |
| Tool permissions | Read-only tools only. |
| Browser sessions | Not accepted as MCP credentials. |
| Revoked access | Rejected on the next request. |
| Missing permissions | Tools should fail without returning private system details. |
Discovery Routes
The server advertises standard metadata for OAuth-capable clients. The host comes from the Vocci MCP server URL:
https://mcp.vocci.ai/.well-known/oauth-protected-resource
https://mcp.vocci.ai/.well-known/oauth-protected-resource/mcp
https://mcp.vocci.ai/.well-known/oauth-authorization-server
https://mcp.vocci.ai/.well-known/openid-configuration
If Dynamic Client Registration is enabled for the environment, the authorization-server metadata includes a registration_endpoint:
registration_endpoint: <issuer-specific OAuth registration URL>
When this field is present, OAuth-capable clients should read it from the authorization-server metadata response instead of hard-coding a Clerk host. If the field is absent, Dynamic Client Registration is not advertised for that environment.
Some clients discover these routes automatically after receiving the MCP server URL:
/.well-known/oauth-protected-resource
/.well-known/oauth-protected-resource/mcp
/.well-known/oauth-authorization-server
/.well-known/openid-configuration