Skip to Content
MCP ServersAuthentication

MCP Server Authentication

auxilia supports three authentication methods for remote MCP servers.

None

Some MCP servers don’t require credentials (e.g. DeepWiki). Select None as the auth type.

Bearer Token (API Key)

For servers that accept a static API key or token:

  1. Select API Key as the auth type
  2. Paste the key

auxilia encrypts the key with AES-GCM before writing it to the database (the encryption key is derived from the SALT environment variable — see app/mcp/servers/encryption.py). On every request the key is sent as:

Authorization: Bearer <your-api-key>

The key is shared across all users of the workspace.

OAuth 2.0

For servers that use OAuth, auxilia supports two credential-management styles:

Dynamic Client Registration (DCR)

With DCR, auxilia registers itself as an OAuth client with the MCP server on the fly — you don’t need to create anything in the provider’s dashboard.

Flow:

  1. User clicks Connect on the server card
  2. auxilia fetches the server’s OAuth metadata
  3. If DCR is supported, a client is registered automatically
  4. User is redirected to the provider’s consent screen
  5. On callback, tokens are stored in Redis, scoped to that user

DCR is used by most official servers (Notion, Linear, Sentry, Stripe, Supabase, Canva, Intercom, Amplitude, Atlassian, Slack).

Static OAuth credentials

Some providers require you to create an OAuth application yourself and give auxilia the client ID and secret.

Flow:

  1. Admin creates an OAuth app in the provider’s dashboard
  2. Admin enters Client ID + Client Secret when installing the server in auxilia
  3. User clicks Connect
  4. auxilia uses the pre-registered credentials with a PKCE challenge
  5. User is redirected to the provider’s consent screen
  6. On callback, tokens are stored in Redis, scoped to that user

Static credentials are currently used by GitHub, HubSpot, and BigQuery from the official catalog.

The redirect URI you need to configure in the provider is always:

<FRONTEND_URL>/api/backend/mcp-servers/oauth/callback

Token storage

OAuth tokens live in Redis under keys of the form:

mcp:{user_id}:{mcp_server_id}:tokens

Each user has their own token set for every MCP server they’ve connected. Tokens are refreshed automatically when they expire. OAuth client secrets (for static-credential servers) are encrypted with AES-GCM in Postgres.

Reconnecting and resetting

  • Reconnect — click Connect again to re-authorize. Existing tokens are replaced.
  • Reset — admins can wipe all stored OAuth state for a server (all users, all clients). Useful after changing static credentials or rotating an OAuth app.
Official vs CustomHubSpot