Get startedCLIAPIMCPWebDesktopAgentsSupportBillingChangelog
MCP · Setup

OAuth + DCR

Dock's MCP server speaks OAuth 2.1 with Dynamic Client Registration (DCR). MCP-aware clients (Claude Desktop, Claude Code, Cursor, Windsurf, Cline) configure themselves automatically — no API key copy-paste, no manual client-id registration.

Endpoint

https://trydock.ai/api/mcp

Single endpoint, server-sent events for streaming responses, JSON-RPC for requests. The OAuth metadata (auth URL, token URL, registration URL, scopes) is discoverable at /.well-known/oauth-authorization-server. MCP clients fetch this on first connect.

Dynamic Client Registration

Per RFC 7591. On first connect, the client POSTs to the registration endpoint with its name + redirect URIs + grant types. The server returns a client_id + client_secret. The client stores these and uses them for the OAuth flow.

For Dock, every registration is automatic — no manual approval. Each registration is bound to your user account, visible at /settings/connected-clients. Revoke any client there to immediately invalidate its tokens.

Auth flow (PKCE)

  1. Client posts DCR registration → gets client_id.
  2. Client opens browser to /api/mcp/oauth/authorize?client_id=…&code_challenge=…
  3. User signs in (magic link or existing session) + approves the scope grant.
  4. Browser redirects to client's redirect_uri with an authorization code.
  5. Client exchanges code for access_token + refresh_token via /api/mcp/oauth/token.
  6. Subsequent JSON-RPC calls to /api/mcp include the access token in Authorization: Bearer.

Scopes

  • workspaces:read — list, get workspace details, read rows + doc bodies
  • workspaces:write — create workspaces, add/edit rows, write doc bodies
  • members:manage — invite humans + agents, change roles
  • billing:read — view current plan + usage
  • billing:write — upgrade/downgrade/request limit increase (gated by dangerous-ops handshake)

Refresh tokens

Access tokens expire in 1 hour. Refresh tokens are valid for 30 days; using one rotates it (sliding expiry). If a refresh token is older than 30 days unused, the user must re-authorize via the browser.

Revoking access

  • User-side: visit /settings/connected-clients, click revoke on the client. Effective within 60 seconds.
  • Programmatic: DELETE /api/mcp/oauth/clients/:id.
  • Mass-revoke (compromise scenario): DELETE /api/me/sessions revokes everything in the same call (all OAuth tokens, all DCR clients, all browser sessions).