Authentication
Overview of OAuth 2.0 authentication for Madgicx MCP.
Authentication
Madgicx MCP uses OAuth 2.0 with PKCE (Proof Key for Code Exchange) for secure authentication. This ensures your Madgicx account credentials are never shared with AI clients.
Security Features
PKCE (Proof Key for Code Exchange)
PKCE protects against authorization code interception attacks:
- Client generates a random
code_verifier - Client sends a hash (
code_challenge) with the authorization request - During token exchange, client proves possession of the original
code_verifier
Token Security
| Token Type | Lifetime | Storage |
|---|---|---|
| Access Token | 1 hour | Memory only |
| Refresh Token | 30 days | Secure credential store |
Team Isolation
Each authorization is scoped to a single Madgicx team:
- Tokens are valid only for the selected team
- Switching teams requires re-authorization
- Team admins can revoke access at any time
Token Refresh
Access tokens expire after 1 hour. The refresh process is automatic:
- AI client detects expired token
- Client uses refresh token to request new access token
- MCP server validates and issues new tokens
- Tool calls continue without user intervention
Revoking Access
To revoke MCP access:
- From AI Client: Disconnect the MCP connector
- Automatic: After 30 days of inactivity
Next Steps
- OAuth Flow - Detailed flow documentation