MCP limits & endpoints
Session limits and the OAuth and transport endpoints the MCP server exposes.
A quick reference for operating against the MCP server.
Session limits
- Sessions expire after about 30 minutes of inactivity.
- Up to 5 concurrent sessions per user, per client.
- Around 100 requests per minute, per session.
Endpoints
Compliant clients discover these automatically; they’re listed here for reference:
- Protected-resource metadata — advertises the authorization server and audience.
- Client registration — dynamic client registration.
- Authorize — the OAuth authorization request (with PKCE).
- Token — exchanges the code for an access token, and refreshes it.
- The per-workspace MCP endpoint — where the Streamable HTTP session runs.