OAuth for MCP

Secure AI access to your vibe

Last updated: March 2026

Why OAuth?

When an AI client like Claude connects to your vibe's MCP tools, it needs permission to read and write your data. OAuth 2.1 provides a secure way to grant that access without sharing passwords.

Public vibes (those without access restrictions) allow unauthenticated MCP access — no OAuth needed. But if your vibe has access controls, AI clients must authenticate through OAuth to use its tools.

How it works

vibe-coded.ai runs an OAuth 2.1 authorization server at oauth.vibe-coded.ai. When an AI client first connects to your vibe, the flow looks like this:

  1. Client registration — The AI client automatically registers itself via Dynamic Client Registration (DCR). This happens in the background.
  2. Authorization request — The client opens a browser window asking you to approve access. You'll see which vibe is being accessed and what scopes are requested.
  3. You approve — After logging in, you grant the requested permissions.
  4. Token exchange — The client receives an access token using PKCE (Proof Key for Code Exchange), preventing token interception.
  5. Tool access — The client includes the token in all MCP requests. The platform verifies it and enforces the granted scopes.

For most users: This flow happens automatically. Claude Desktop handles registration, opens the approval page, and stores the token. You just click "Approve" once.

Scopes

OAuth scopes control what an AI client can do with your vibe's tools:

Scope Allows
mcp:read Read data (list, search, get operations)
mcp:write Create and update data
mcp:admin Delete data and manage settings
mcp:execute Run custom operations

Tools are filtered based on the granted scopes. If a client only has mcp:read, it won't see write or delete tools.

What users see

When an AI client requests access, users see a consent screen showing:

  • Which vibe is being accessed
  • The name of the AI client requesting access
  • Which permissions (scopes) are being requested
  • An "Approve" or "Deny" button

After approving, the token is stored by the AI client and reused for future sessions until it expires.

Common issues

Token expired

Access tokens expire after a set period. Most AI clients will automatically request a new token. If you're prompted to re-approve, that's normal.

Scope mismatch

If Claude can see some tools but not others, the token may have been granted with limited scopes. Disconnect and reconnect to request the full set of scopes.

Redirect URI error

This usually means the AI client's redirect URI isn't registered. For Claude Desktop and Claude Code, this is handled automatically. Third-party clients may need to register their redirect URI during DCR.

Public vs authenticated vibes

If your vibe is public, MCP access works without OAuth. If you later add access controls, existing unauthenticated connections will stop working until clients authenticate via OAuth.

← Connecting Claude Sharing & Access →