How OAuth works for the MCP server
DocJacket's MCP server uses OAuth 2.1 with Dynamic Client Registration (RFC 7591). For most users, that translates to: paste https://mcp.docjacket.com/mcp into Claude / ChatGPT / Codex, click Allow on the consent screen, done. No API keys to copy, no tokens to rotate.
TL;DR
| You do | DocJacket does |
|---|---|
| Paste the MCP URL into your AI client | Returns 401 + WWW-Authenticate pointing at our OAuth metadata |
| (Client discovers our metadata, registers itself, redirects you) | Returns an auth URL |
| Sign in to DocJacket if needed | Verifies you're a real user |
| Click Allow on the consent screen | Issues a 1-hour access token + 30-day refresh token, both bound to your user + the AI client |
| Use your AI as normal | Validates every tool call against the JWT and logs it to your Activity Log |
That's it. The whole flow is ~6 HTTP requests and ~1 second end-to-end.
When you'd care about the protocol detail
- You're the org admin asking "what does Claude actually see when it connects?"
- You're investigating an
Authorization with the MCP server failederror - You're building a custom MCP client and need to know our endpoints
- You're a security reviewer evaluating DocJacket before approving it
For all of those: read the full breakdown → How OAuth works under AI Access. It covers the 6-step flow with concrete HTTP requests, the metadata documents, PKCE, scopes, token rotation, RFC 8707 resource indicators, and revocation.
When you'd skip OAuth
A few clients don't (yet) support paste-URL OAuth and need a personal access token instead:
- Cowork — org-installed plugin, token is the right primitive for org-wide install (setup)
- Gemini CLI — DCR support not yet shipped on Gemini's MCP client (setup)
- Codex CLI — works either way; many users prefer the token +
codex secret setflow (setup) - Custom HTTP clients / scripts — paste a token into your
Authorization: Bearer …header
Mint tokens at app.docjacket.com/settings/ai-access. They scope per-org, can be labelled, and can be revoked independently.
Need help?
If OAuth fails the assistant will display a reference ID on the error screen. Send it to support@docjacket.com and we can correlate it with our diagnostic logs (every JWT validation failure, token grant, and consent decision is logged).
Read more
- How OAuth works (full protocol) — discovery, DCR, PKCE, scopes, rotation, revocation
- Permissions — read / draft / actions scope tiers
- AI Access overview — the umbrella feature