MCP Authentication
FunnelStory authenticates MCP clients using OAuth 2.0 with PKCE. This is the same browser-based authorization flow used across enterprise software — your credentials stay in FunnelStory, and the client receives a scoped access token.
The Authorization Flow
When an MCP client connects for the first time:
- The client fetches OAuth metadata from
/.well-known/oauth-authorization-serverto discover FunnelStory's authorization endpoints - The client registers itself using Dynamic Client Registration (DCR) — no manual setup needed
- The client redirects you to FunnelStory's authorization page
- You log in (if not already) and approve the access request
- The client exchanges the authorization code for an access token
- The client uses that token for all subsequent requests to
/api/mcp
After the initial setup, the client refreshes its token automatically. You won't need to re-authorize unless you revoke access.
PKCE
PKCE (Proof Key for Code Exchange) protects the authorization flow in environments where a static client secret can't be kept confidential — like desktop apps. It prevents authorization codes from being used even if they're intercepted mid-flow.
Revoking Access
To remove a client's access to your workspace:
- Go to the profile menu (avatar) → MCP Clients
- Find the client and click the delete icon
The client's tokens are invalidated immediately.
For Custom MCP Clients
If you're integrating a custom client with FunnelStory's OAuth server:
| Endpoint | Standard |
|---|---|
/.well-known/oauth-authorization-server | RFC 8414 |
/.well-known/oauth-protected-resource | RFC 9728 |
Dynamic Client Registration is supported — clients discover the registration endpoint from the server metadata.
Next Steps
- Getting Started — connect your MCP client
- Available Tools — what authenticated clients can access