Skip to main content

OAuth 2.0 Authentication for MCP Server

Collate’s MCP Server supports OAuth 2.0 authentication, allowing you to connect AI assistants like Claude, Cursor, and VS Code directly using your existing Collate login. This is the same way you sign in to the Collate UI. No need to generate, copy, or rotate Personal Access Tokens.

Why OAuth 2.0?

Personal Access Token (PAT)OAuth 2.0
SetupGenerate token, copy into configEnter server URL, sign in via browser
SecurityToken stored in plain text config filesNo secrets stored locally
ExpirationManual rotation when token expiresTokens refresh automatically
AccessMust generate and manage tokens per userUses your existing Collate login
OAuth 2.0 is the recommended way to connect MCP clients. PAT-based authentication remains supported for backward compatibility and environments where browser-based login is not available.

How It Works

Connecting via OAuth is simple:
  1. Add your Collate MCP Server URL in your AI client (e.g., https://your-collate-instance.com/mcp)
  2. A browser window opens prompting you to sign in with your usual Collate credentials
  3. You’re connected and tokens are managed automatically in the background
That’s it. Your MCP client handles the rest, including refreshing your session when needed.

Supported Authentication Methods

The MCP Server inherits the authentication method configured for your Collate instance. Whatever SSO provider your organization uses to sign in to Collate will also be used for MCP connections.
https://mintcdn.com/collatedocs/-Cx6rTOteG4I_5vO/public/images/icons/google.svg?fit=max&auto=format&n=-Cx6rTOteG4I_5vO&q=85&s=d8420178fad5800b0b06406057db75b0

Google SSO

Sign in with your Google Workspace account.
https://mintcdn.com/collatedocs/eaXUDo1kCWyJG_MC/public/images/icons/azure.svg?fit=max&auto=format&n=eaXUDo1kCWyJG_MC&q=85&s=5a6f90d3e882c40d4e39565f7d23b3d0

Azure AD SSO

Sign in with your Microsoft / Azure AD account.
https://mintcdn.com/collatedocs/-Cx6rTOteG4I_5vO/public/images/icons/okta.svg?fit=max&auto=format&n=-Cx6rTOteG4I_5vO&q=85&s=926a4c64d00be46801ae08c3c6add440

Okta SSO

Sign in with your Okta account.
https://mintcdn.com/collatedocs/yvgGxaeRR5RwtQo6/public/images/icons/auth0.svg?fit=max&auto=format&n=yvgGxaeRR5RwtQo6&q=85&s=448d75b24161d109766318b2d011ddd7

Auth0 SSO

Sign in with your Auth0 account.
https://mintcdn.com/collatedocs/eaXUDo1kCWyJG_MC/public/images/icons/amazon-cognito.svg?fit=max&auto=format&n=eaXUDo1kCWyJG_MC&q=85&s=23f52f76ffb2d1782e5bb939c124a873

Amazon Cognito

Sign in with Amazon Cognito.
https://mintcdn.com/collatedocs/-Cx6rTOteG4I_5vO/public/images/icons/oidc.svg?fit=max&auto=format&n=-Cx6rTOteG4I_5vO&q=85&s=a76302e1560cf69d3de20e02e438a4fd

Custom OIDC

Sign in with any OIDC-compatible provider.
https://mintcdn.com/collatedocs/Q1OIJhF378waLn75/public/images/icons/saml.svg?fit=max&auto=format&n=Q1OIJhF378waLn75&q=85&s=6494e62c679d1c74801b652f06aa689f

SAML

Sign in with your SAML identity provider.
https://mintcdn.com/collatedocs/-Cx6rTOteG4I_5vO/public/images/icons/ldap.svg?fit=max&auto=format&n=-Cx6rTOteG4I_5vO&q=85&s=5529404212cf69d32ff2055a7adc734d

LDAP

Sign in with your LDAP / Active Directory credentials.
If your instance uses basic authentication (username and password), you will see a login form where you can enter your Collate credentials directly.

Changing Your Authentication Method

The MCP Server automatically uses the same authentication method configured for your Collate instance. To change how users authenticate:
  1. Navigate to Settings in your Collate instance
  2. Go to the SSO configuration section
  3. Update the authentication provider (e.g., switch from basic auth to Google SSO)
Once updated, all MCP client connections will use the new authentication method with no changes needed on the client side. For detailed instructions on configuring each SSO provider, see the SSO Setup Guide.

Token Management

OAuth tokens are handled entirely by your MCP client with no manual management needed:
  • Access tokens are short-lived and automatically refreshed in the background
  • Sessions stay active as long as you’re using the MCP client regularly
  • Re-authentication is only needed if your refresh token expires after an extended period of inactivity (30 days)
To revoke access for an MCP client, an administrator can manage active sessions from the Collate admin settings.

Security

Collate’s MCP OAuth implementation follows industry-standard security practices:
  • PKCE (Proof Key for Code Exchange): Protects the authorization flow against interception attacks, even on desktop and CLI clients
  • Encrypted token storage: All tokens are encrypted at rest in the Collate database
  • Short-lived access tokens: Access tokens expire quickly, limiting exposure if compromised
  • Automatic token refresh: Clients seamlessly refresh tokens without user interaction
  • Rate limiting: Built-in protection against brute-force and abuse
  • No secrets in config files: Unlike PAT-based auth, OAuth does not require storing any secrets on your local machine

Supported MCP Clients

Set up OAuth authentication with your preferred MCP client:

Claude Desktop

Connect via Anthropic’s AI assistant.

Cursor

Connect via Cursor IDE.

VS Code

Connect via Visual Studio Code.

Claude Code

Connect via Claude Code CLI.

Goose

Connect via Block’s open-source AI agent.