Authentication
Overview of OAuth 2.0 authentication for both Madgicx MCP servers.
Authentication
Both Madgicx MCP servers — Facebook Ads (https://mcp.madgicx.com/mcp) and Google Ads (https://mcp-google-ads.madgicx.com/mcp) — use OAuth 2.0 with PKCE (Proof Key for Code Exchange) for secure authentication. Your Madgicx account credentials are never shared with AI clients.
One authorization server for both MCPs
Both servers share Madgicx's authorization endpoints. A single Madgicx login authorizes both connectors, and the same Client ID / Client Secret pair is used for client-credentials flows against either server.
Security Features
PKCE (Proof Key for Code Exchange)
PKCE protects against authorization code interception attacks:
- Client generates a random
code_verifier - Client sends a hash (
code_challenge) with the authorization request - During token exchange, client proves possession of the original
code_verifier
Token Security
| Token Type | Lifetime | Storage |
|---|---|---|
| Access Token | 1 hour | Memory only |
| Refresh Token | 30 days | Secure credential store |
Team Isolation
Each authorization is scoped to a single Madgicx team:
- Tokens are valid only for the selected team
- Switching teams requires re-authorization
- Team admins can revoke access at any time
The selected team determines which Facebook ad accounts (for Facebook Ads MCP) and which Google Ads token (for Google Ads MCP) the connector can use.
Token Refresh
Access tokens expire after 1 hour. The refresh process is automatic:
- AI client detects expired token
- Client uses refresh token to request new access token
- MCP server validates and issues new tokens
- Tool calls continue without user intervention
Revoking Access
To revoke MCP access:
- From AI Client: Disconnect the MCP connector
- Automatic: After 30 days of inactivity
Revoking via the client only affects that one connector — to revoke access to both Facebook Ads and Google Ads MCPs, disconnect both connectors.
Next Steps
- OAuth Flow - Detailed flow documentation