skip to main content
Browse documentation

How MCP sign-in works

MCP clients authenticate with OAuth 2.1, federated to your identity provider — Syncanix never holds your users' credentials.

When a client connects, it signs the user in through your identity provider using OAuth 2.1. Here’s the flow, step by step.

The flow

It follows the standard MCP authorization handshake, so compliant clients do most of this automatically:

  1. DiscoverThe client fetches your server’s metadata to learn which authorization server issues tokens and what audience to request.
  2. RegisterThe client registers itself dynamically — no manual client setup needed.
  3. AuthorizeThe client opens an authorization request with PKCE and a workspace-scoped audience.
  4. Your identity providerSyncanix redirects the user to your configured identity provider to sign in.
  5. TokenAfter sign-in, the client exchanges the result for a short-lived access token (with a rotating refresh token).
  6. ConnectThe client opens the MCP session with that token and starts listing and calling tools.

Your identity provider

Sign-in federates to the identity provider you configure for the workspace (Auth0, Clerk, Cognito, WorkOS, or your own OIDC). Tokens are short-lived and scoped to the workspace, and the same permissions apply as everywhere else.

Next steps

Connect a clientSet up Claude Desktop, Cursor, or ChatGPT.Tools & executionWhat runs, and how.