OAuth 2.1 Flow
The Hype Doc MCP server uses OAuth 2.1 with PKCE for authentication, following the MCP specification. Most MCP clients handle this flow automatically.
Discovery endpoints
Section titled “Discovery endpoints”MCP clients discover the OAuth configuration using well-known endpoints:
Protected Resource Metadata
Section titled “Protected Resource Metadata”GET https://app.myhypedoc.com/.well-known/oauth-protected-resourceReturns the resource server metadata, including the authorization server URL.
Authorization Server Metadata
Section titled “Authorization Server Metadata”GET https://app.myhypedoc.com/.well-known/oauth-authorization-serverReturns the full OAuth server configuration, including:
- Authorization endpoint
- Token endpoint
- Supported grant types
- Supported response types
- PKCE code challenge methods
Flow overview
Section titled “Flow overview”- Client discovers endpoints via
.well-knownmetadata - Client generates a PKCE code verifier and derives the code challenge
- Client redirects the user to the authorization endpoint with the code challenge
- User authorizes Hype Doc in their browser
- Authorization server redirects back with an authorization code
- Client exchanges the code for an access token (including the code verifier)
- Client uses the access token in the
Authorization: Bearerheader for MCP requests
Token usage
Section titled “Token usage”Once authorized, the MCP client includes the access token in every request:
POST /mcp HTTP/1.1Host: app.myhypedoc.comAuthorization: Bearer oauth_access_token_hereContent-Type: application/jsonDoorkeeper (OAuth provider)
Section titled “Doorkeeper (OAuth provider)”Hype Doc uses Doorkeeper as its OAuth 2.1 provider. The standard Doorkeeper endpoints are available:
| Endpoint | Path |
|---|---|
| Authorization | /oauth/authorize |
| Token | /oauth/token |
| Revocation | /oauth/revoke |
Rate limits
Section titled “Rate limits”OAuth-authenticated MCP requests are limited to 60 requests per minute per token. See Rate Limits.