OAuth Authentication for AI Agents- Chipp Docs

When you connect an MCP client (like Claude Code or Cursor) to the Chipp MCP Server, authentication is handled automatically using OAuth 2.0 with PKCE. This page explains what happens during authentication and how to troubleshoot common issues.

How Authentication Works

💡

You don't need to write any code. Your MCP client handles the OAuth flow automatically.

When you first use a Chipp MCP tool:

Your MCP client opens a browser window to the Chipp authorization page
You log in with your Chipp account (or are already logged in)
You approve the connection by clicking "Authorize"
The browser closes and your MCP client is now connected

That's it! Your client stores the tokens securely and refreshes them automatically.

What You'll See

Authorization Screen

When prompted to authorize, you'll see:

Chipp MCP Server as the application requesting access
Your Chipp account email to confirm you're logged in
Requested permissions (typically full access to your apps)
Authorize and Deny buttons

After Authorization

Your MCP client will confirm the connection. In Claude Code, you might see:

Connected to Chipp MCP Server
Available tools: list_apps, create_app, get_app_analytics...

Token Management

Chipp uses prefixed tokens that your MCP client manages automatically:

Token Type	Prefix	Lifetime	What It Does
Access Token	`chipp_at_`	1 hour	Authenticates each request
Refresh Token	`chipp_rt_`	30 days	Gets new access tokens when they expire

Your MCP client:

Stores tokens securely in its configuration
Automatically refreshes expired access tokens
Prompts you to re-authorize if the refresh token expires

Permission Scopes

When authorizing, your MCP client requests permissions. Most clients request full access (scope=*), which grants:

Scope	What It Allows
`apps:read`	View your apps
`apps:write`	Create, update, delete apps
`knowledge:read`	View knowledge sources
`knowledge:write`	Add, update, delete knowledge sources
`actions:read`	View custom actions
`actions:write`	Manage custom actions
`analytics:read`	View conversation analytics
`workspace:read`	View workspace information
`billing:read`	View subscription and credits

Revoking Access

To disconnect an MCP client from your Chipp account:

Go to Chipp Settings
Navigate to Connected Apps or API Access
Find the MCP connection and click Revoke

After revoking, your MCP client will prompt you to re-authorize the next time you use a Chipp tool.

Troubleshooting

"Authentication required"

What happened: Your token expired and couldn't be refreshed.

Fix: Your MCP client should automatically prompt you to re-authorize. If not:

Restart your MCP client (e.g., restart Claude Code)
Try using a Chipp tool again to trigger the auth flow

"Scope not authorized"

What happened: The tool requires a permission that wasn't granted.

Fix: Re-authorize with broader permissions. Most MCP clients request all scopes automatically, so this is rare.

Browser Doesn't Open

What happened: The auth flow couldn't open your default browser.

Fix:

Check if your MCP client logged a URL you can copy/paste
Ensure a default browser is configured on your system
Try restarting your MCP client

"Invalid token format"

What happened: The stored token is corrupted or incomplete.

Fix:

Clear your MCP client's stored Chipp credentials
Re-authorize from scratch

For Claude Code, you can reset credentials:

# Remove stored Chipp OAuth tokens
rm -rf ~/.claude/mcp-auth/chipp*

Connection Times Out

What happened: The authorization flow didn't complete in time.

Fix:

Ensure you complete the browser authorization within 5 minutes
Check your internet connection
Try again - the flow is quick once you know what to expect

Security Details

For those interested in the technical implementation:

OAuth 2.0 with PKCE

The Chipp MCP Server uses OAuth 2.0 Authorization Code Flow with PKCE:

PKCE (Proof Key for Code Exchange) prevents authorization code interception
No client secret required - safe for desktop applications
Short-lived access tokens - minimize exposure if compromised
Refresh token rotation - each refresh issues new tokens

Why OAuth Instead of API Keys?

💡

The Chipp MCP Server does not support static API keys. All authentication uses OAuth.

Benefits:

Revocable - disconnect access anytime from your Chipp settings
Expiring - tokens automatically expire, limiting damage from leaks
Auditable - see when and where your account was accessed
Scoped - permissions can be restricted to specific operations

Token Storage

Your MCP client stores tokens securely:

Claude Code - encrypted in ~/.claude/ directory
Cursor - stored in application settings
Custom clients - should use OS keychain or encrypted storage

OAuth Flow Reference

For developers building custom MCP clients or debugging issues:

Endpoints

Endpoint	Method	Purpose
`https://app.chipp.ai/api/mcp/oauth/authorize`	GET	Start authorization
`https://app.chipp.ai/api/mcp/oauth/token`	POST	Exchange code for tokens
`https://app.chipp.ai/api/mcp/oauth/revoke`	POST	Revoke tokens
`https://app.chipp.ai/.well-known/oauth-authorization-server`	GET	OAuth discovery

Authorization Request

GET https://app.chipp.ai/api/mcp/oauth/authorize?
  client_id=chipp-mcp-client
  &redirect_uri=http://localhost:PORT/callback
  &response_type=code
  &scope=*
  &state=RANDOM_STATE
  &code_challenge=PKCE_CHALLENGE
  &code_challenge_method=S256

Token Exchange

POST https://app.chipp.ai/api/mcp/oauth/token
Content-Type: application/json

{
  "grant_type": "authorization_code",
  "code": "AUTH_CODE",
  "redirect_uri": "http://localhost:PORT/callback",
  "client_id": "chipp-mcp-client",
  "code_verifier": "PKCE_VERIFIER"
}

Token Refresh

POST https://app.chipp.ai/api/mcp/oauth/token
Content-Type: application/json

{
  "grant_type": "refresh_token",
  "refresh_token": "chipp_rt_xxx",
  "client_id": "chipp-mcp-client"
}

Next Steps

Rate Limits - Understanding request limits
Tools Reference - All available tools
Common Workflows - Practical examples