MCP Authentication

The Pipe2.ai MCP server supports two authentication methods: personal access tokens (PATs) for quick setup and OAuth 2.1 which is handled automatically by MCP clients that support it.

Personal Access Tokens

PATs are the simplest way to authenticate. Generate one from your dashboard and add it to your MCP client config.

1. Go to your Pipe2.ai dashboard → API Keys → Personal Access Tokens.

2. Create a new token with a descriptive name (e.g., “Claude Desktop”).

3. Copy the token — it will only be shown once.

4. Add the token to your MCP client configuration:

   {
     "headers": {
       "Authorization": "Bearer YOUR_TOKEN"
     }
   }

Token Properties

Property	Details
Format	Signed JWT
Expiration	1 year from creation, checked on every request
Revocation	Can be revoked from the dashboard (takes effect within 30 seconds)
Last used	Updated automatically

Revoking a Token

Revoke a token from your dashboard at any time. Revocation takes effect within 30 seconds.

Caution

Store your token securely. Anyone with your token can access your Pipe2.ai account via MCP. If compromised, revoke it immediately from your dashboard.

OAuth 2.1

MCP clients that support the MCP OAuth specification (like Claude Desktop) handle authentication automatically. When you connect, the client will:

1. Open your browser to the Pipe2.ai login page
2. You log in and approve access
3. The client receives a token and stores it

No manual configuration needed — no client IDs, secrets, or redirect URIs to manage. Pipe2.ai handles client registration automatically via the MCP protocol.

Discovery

MCP clients discover the OAuth endpoints automatically via:

GET https://mcp.pipe2.ai/.well-known/oauth-authorization-server

How It Works

When an MCP client connects without a token, the server returns a 401 with the OAuth discovery URL. The client then:

1. Fetches the OAuth metadata (authorization endpoint, token endpoint)
2. Opens a browser window for the user to log in
3. Exchanges the authorization code for an access token (using PKCE)
4. Includes the access token in all subsequent MCP requests

The entire flow is handled by the MCP client — you just click “Connect” and log in.

Troubleshooting

Issue	Solution
401 Unauthorized	Check that your PAT is included in the Authorization: Bearer header
Token expired	Generate a new personal access token from your dashboard
Token revoked	The token was revoked. Create a new one from the dashboard
OAuth popup doesn’t appear	Ensure your MCP client supports OAuth 2.1. Use a PAT as fallback