> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getcollate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth 2.0 Authentication for MCP Server

> Connect to Collate's MCP Server using OAuth 2.0 with your existing SSO provider. No Personal Access Tokens required.

# OAuth 2.0 Authentication for MCP Server

Collate's MCP Server supports **OAuth 2.0 authentication**, allowing you to connect AI assistants like Claude, Cursor, and VS Code directly using your existing Collate login. This is the same way you sign in to the Collate UI. No need to generate, copy, or rotate Personal Access Tokens.

## Why OAuth 2.0?

|                | Personal Access Token (PAT)              | OAuth 2.0                             |
| -------------- | ---------------------------------------- | ------------------------------------- |
| **Setup**      | Generate token, copy into config         | Enter server URL, sign in via browser |
| **Security**   | Token stored in plain text config files  | No secrets stored locally             |
| **Expiration** | Manual rotation when token expires       | Tokens refresh automatically          |
| **Access**     | Must generate and manage tokens per user | Uses your existing Collate login      |

<Note>
  OAuth 2.0 is the **recommended** way to connect MCP clients. PAT-based authentication remains supported for backward compatibility and environments where browser-based login is not available.
</Note>

## How It Works

Connecting via OAuth is simple:

1. **Add your Collate MCP Server URL** in your AI client (e.g., `https://your-collate-instance.com/mcp`)
2. **A browser window opens** prompting you to sign in with your usual Collate credentials
3. **You're connected** and tokens are managed automatically in the background

That's it. Your MCP client handles the rest, including refreshing your session when needed.

## Supported Authentication Methods

The MCP Server inherits the authentication method configured for your Collate instance. Whatever SSO provider your organization uses to sign in to Collate will also be used for MCP connections.

<Columns cols={2} className="product-cards">
  <Card icon="https://mintcdn.com/collatedocs/-Cx6rTOteG4I_5vO/public/images/icons/google.svg?fit=max&auto=format&n=-Cx6rTOteG4I_5vO&q=85&s=d8420178fad5800b0b06406057db75b0" title="Google SSO" href="/how-to-guides/sso/google" horizontal width="36" height="36" data-path="public/images/icons/google.svg">
    Sign in with your Google Workspace account.
  </Card>

  <Card icon="https://mintcdn.com/collatedocs/eaXUDo1kCWyJG_MC/public/images/icons/azure.svg?fit=max&auto=format&n=eaXUDo1kCWyJG_MC&q=85&s=5a6f90d3e882c40d4e39565f7d23b3d0" title="Azure AD SSO" href="/how-to-guides/sso/azure" horizontal width="36" height="36" data-path="public/images/icons/azure.svg">
    Sign in with your Microsoft / Azure AD account.
  </Card>

  <Card icon="https://mintcdn.com/collatedocs/-Cx6rTOteG4I_5vO/public/images/icons/okta.svg?fit=max&auto=format&n=-Cx6rTOteG4I_5vO&q=85&s=926a4c64d00be46801ae08c3c6add440" title="Okta SSO" href="/how-to-guides/sso/okta" horizontal width="36" height="36" data-path="public/images/icons/okta.svg">
    Sign in with your Okta account.
  </Card>

  <Card icon="https://mintcdn.com/collatedocs/yvgGxaeRR5RwtQo6/public/images/icons/auth0.svg?fit=max&auto=format&n=yvgGxaeRR5RwtQo6&q=85&s=448d75b24161d109766318b2d011ddd7" title="Auth0 SSO" href="/how-to-guides/sso/auth0" horizontal width="36" height="36" data-path="public/images/icons/auth0.svg">
    Sign in with your Auth0 account.
  </Card>

  <Card icon="https://mintcdn.com/collatedocs/eaXUDo1kCWyJG_MC/public/images/icons/amazon-cognito.svg?fit=max&auto=format&n=eaXUDo1kCWyJG_MC&q=85&s=23f52f76ffb2d1782e5bb939c124a873" title="Amazon Cognito" href="/how-to-guides/sso/amazon-cognito" horizontal width="36" height="36" data-path="public/images/icons/amazon-cognito.svg">
    Sign in with Amazon Cognito.
  </Card>

  <Card icon="https://mintcdn.com/collatedocs/-Cx6rTOteG4I_5vO/public/images/icons/oidc.svg?fit=max&auto=format&n=-Cx6rTOteG4I_5vO&q=85&s=a76302e1560cf69d3de20e02e438a4fd" title="Custom OIDC" href="/how-to-guides/sso/custom-oidc" horizontal width="36" height="36" data-path="public/images/icons/oidc.svg">
    Sign in with any OIDC-compatible provider.
  </Card>

  <Card icon="https://mintcdn.com/collatedocs/Q1OIJhF378waLn75/public/images/icons/saml.svg?fit=max&auto=format&n=Q1OIJhF378waLn75&q=85&s=6494e62c679d1c74801b652f06aa689f" title="SAML" href="/how-to-guides/sso/saml" horizontal width="36" height="36" data-path="public/images/icons/saml.svg">
    Sign in with your SAML identity provider.
  </Card>

  <Card icon="https://mintcdn.com/collatedocs/-Cx6rTOteG4I_5vO/public/images/icons/ldap.svg?fit=max&auto=format&n=-Cx6rTOteG4I_5vO&q=85&s=5529404212cf69d32ff2055a7adc734d" title="LDAP" href="/how-to-guides/sso/ldap" horizontal width="36" height="36" data-path="public/images/icons/ldap.svg">
    Sign in with your LDAP / Active Directory credentials.
  </Card>
</Columns>

If your instance uses **basic authentication** (username and password), you will see a login form where you can enter your Collate credentials directly.

## Changing Your Authentication Method

The MCP Server automatically uses the same authentication method configured for your Collate instance. To change how users authenticate:

1. Navigate to **Settings** in your Collate instance
2. Go to the **SSO** configuration section
3. Update the authentication provider (e.g., switch from basic auth to Google SSO)

Once updated, all MCP client connections will use the new authentication method with no changes needed on the client side.

For detailed instructions on configuring each SSO provider, see the [SSO Setup Guide](/how-to-guides/sso).

## Token Management

OAuth tokens are handled entirely by your MCP client with no manual management needed:

* **Access tokens** are short-lived and automatically refreshed in the background
* **Sessions stay active** as long as you're using the MCP client regularly
* **Re-authentication** is only needed if your refresh token expires after an extended period of inactivity (30 days)

To **revoke access** for an MCP client, an administrator can manage active sessions from the Collate admin settings.

## Security

Collate's MCP OAuth implementation follows industry-standard security practices:

* **PKCE (Proof Key for Code Exchange)**: Protects the authorization flow against interception attacks, even on desktop and CLI clients
* **Encrypted token storage**: All tokens are encrypted at rest in the Collate database
* **Short-lived access tokens**: Access tokens expire quickly, limiting exposure if compromised
* **Automatic token refresh**: Clients seamlessly refresh tokens without user interaction
* **Rate limiting**: Built-in protection against brute-force and abuse
* **No secrets in config files**: Unlike PAT-based auth, OAuth does not require storing any secrets on your local machine

## Supported MCP Clients

Set up OAuth authentication with your preferred MCP client:

<CardGroup cols={2}>
  <Card title="Claude Desktop" href="/collate-ai/mcp/claude">
    Connect via Anthropic's AI assistant.
  </Card>

  <Card title="Cursor" href="/collate-ai/mcp/cursor">
    Connect via Cursor IDE.
  </Card>

  <Card title="VS Code" href="/collate-ai/mcp/vscode">
    Connect via Visual Studio Code.
  </Card>

  <Card title="Claude Code" href="/collate-ai/mcp/claude-code">
    Connect via Claude Code CLI.
  </Card>

  <Card title="Goose" href="/collate-ai/mcp/goose">
    Connect via Block's open-source AI agent.
  </Card>
</CardGroup>