# MCP OAuth Providers MCP OAuth providers are reusable OAuth 2.0 configurations referenced by MCP servers. Each provider holds an issuer URL, audience, optional scopes, and optional introspection settings. Multiple MCP servers can reference the same provider via `_mcpOAuthProviderId`, avoiding duplicated OAuth configuration. Providers support two token validation modes: JWT validation against the issuer's JWKS endpoint (default), or RFC 7662 introspection for opaque tokens when `useIntrospection` is enabled with `clientId`/`clientSecret`. ## List MCP OAuth providers > Returns all MCP OAuth providers in the account. ```json {"openapi":"3.2.0","info":{"title":"MCP OAuth Providers","version":"1.0.0"},"tags":[{"name":"MCP OAuth Providers","description":"MCP OAuth providers are reusable OAuth 2.0 configurations referenced by\nMCP servers. Each provider holds an issuer URL, audience, optional scopes,\nand optional introspection settings. Multiple MCP servers can reference\nthe same provider via `_mcpOAuthProviderId`, avoiding duplicated OAuth\nconfiguration.\n\nProviders support two token validation modes: JWT validation against the\nissuer's JWKS endpoint (default), or RFC 7662 introspection for opaque\ntokens when `useIntrospection` is enabled with `clientId`/`clientSecret`."}],"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"parameters":{"Include":{"name":"include","in":"query","required":false,"description":"Comma-separated list of fields to project into each returned record.\nTriggers summary projection: the response contains a minimal identity\nset (`_id`, `name`, plus resource-specific fields) with the requested\nfields added on top. Supports dot notation for nested fields.\nMutually exclusive with `exclude`.","schema":{"type":"string"}},"Exclude":{"name":"exclude","in":"query","required":false,"description":"Comma-separated list of fields to strip from the default response.\nUnlike `include`, does not trigger summary projection — returns the\nfull record with the named fields removed. Protected identity fields\n(e.g. `name`) cannot be stripped. Mutually exclusive with `include`.","schema":{"type":"string"}}},"schemas":{"Response":{"type":"object","description":"MCP OAuth provider object as returned by the API.","allOf":[{"$ref":"#/components/schemas/Request"},{"$ref":"#/components/schemas/ResourceResponse"},{"type":"object","properties":{"_userId":{"type":"string","format":"objectId","readOnly":true,"description":"Owning user ID."}}}]},"Request":{"type":"object","description":"Request body for creating or updating an MCP OAuth provider. On PUT,\nthis is a full replacement; include all fields you want to keep because\nomitted optional fields are cleared.","properties":{"name":{"type":"string","description":"Display name for the OAuth provider."},"description":{"type":"string","description":"Description of the provider's purpose."},"issuerURL":{"type":"string","format":"uri","description":"OAuth 2.0 issuer URL. Must include `http://` or `https://` scheme.\nBare hostnames are rejected."},"audience":{"type":"string","description":"Expected `aud` claim on incoming access tokens."},"scopes":{"type":"array","description":"Required OAuth scopes. Incoming tokens must carry every listed scope.","items":{"type":"string","enum":["mcp:read","mcp:write"]}},"useIntrospection":{"type":"boolean","default":false,"description":"When `true`, opaque access tokens are validated via the issuer's\nRFC 7662 introspection endpoint using `clientId`/`clientSecret`.\nWhen `false`, only JWT tokens validated against JWKS are accepted."},"clientId":{"type":["string","null"],"description":"OAuth client ID for token introspection. Required when\n`useIntrospection` is `true`."},"clientSecret":{"type":["string","null"],"description":"OAuth client secret for introspection. Masked as `\"******\"` in\nresponses; sending the masked value on PUT leaves it unchanged."}},"required":["name","issuerURL","audience"]},"ResourceResponse":{"type":"object","description":"Response","properties":{"_id":{"type":"string","format":"objectId","readOnly":true,"description":"Unique identifier for the resource. Format is a 24-character hexadecimal string."},"createdAt":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp when the resource was created. Set automatically and cannot be modified."},"lastModified":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp when the resource was last updated. Changes whenever any property is modified."},"deletedAt":{"type":["string","null"],"format":"date-time","readOnly":true,"description":"Timestamp when the resource was soft-deleted. When null or absent, the resource is active."}}}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n is invalid, revoked, or expired."}},"required":["message"]}}}}}},"paths":{"/v1/mcpoauthproviders":{"get":{"summary":"List MCP OAuth providers","description":"Returns all MCP OAuth providers in the account.","operationId":"listMcpOauthProviders","tags":["MCP OAuth Providers"],"parameters":[{"$ref":"#/components/parameters/Include"},{"$ref":"#/components/parameters/Exclude"}],"responses":{"200":{"description":"Provider list.","content":{"application/json":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/Response"}}}}},"204":{"description":"No providers exist in the account."},"401":{"$ref":"#/components/responses/401-unauthorized"}}}}}} ``` ## Create an MCP OAuth provider > Creates a reusable OAuth provider that MCP servers can reference via\ > \`\_mcpOAuthProviderId\`. \`name\`, \`issuerURL\`, and \`audience\` are\ > required. Set \`useIntrospection: true\` with \`clientId\`/\`clientSecret\`\ > to support opaque (non-JWT) tokens. ```json {"openapi":"3.2.0","info":{"title":"MCP OAuth Providers","version":"1.0.0"},"tags":[{"name":"MCP OAuth Providers","description":"MCP OAuth providers are reusable OAuth 2.0 configurations referenced by\nMCP servers. Each provider holds an issuer URL, audience, optional scopes,\nand optional introspection settings. Multiple MCP servers can reference\nthe same provider via `_mcpOAuthProviderId`, avoiding duplicated OAuth\nconfiguration.\n\nProviders support two token validation modes: JWT validation against the\nissuer's JWKS endpoint (default), or RFC 7662 introspection for opaque\ntokens when `useIntrospection` is enabled with `clientId`/`clientSecret`."}],"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"Request":{"type":"object","description":"Request body for creating or updating an MCP OAuth provider. On PUT,\nthis is a full replacement; include all fields you want to keep because\nomitted optional fields are cleared.","properties":{"name":{"type":"string","description":"Display name for the OAuth provider."},"description":{"type":"string","description":"Description of the provider's purpose."},"issuerURL":{"type":"string","format":"uri","description":"OAuth 2.0 issuer URL. Must include `http://` or `https://` scheme.\nBare hostnames are rejected."},"audience":{"type":"string","description":"Expected `aud` claim on incoming access tokens."},"scopes":{"type":"array","description":"Required OAuth scopes. Incoming tokens must carry every listed scope.","items":{"type":"string","enum":["mcp:read","mcp:write"]}},"useIntrospection":{"type":"boolean","default":false,"description":"When `true`, opaque access tokens are validated via the issuer's\nRFC 7662 introspection endpoint using `clientId`/`clientSecret`.\nWhen `false`, only JWT tokens validated against JWKS are accepted."},"clientId":{"type":["string","null"],"description":"OAuth client ID for token introspection. Required when\n`useIntrospection` is `true`."},"clientSecret":{"type":["string","null"],"description":"OAuth client secret for introspection. Masked as `\"******\"` in\nresponses; sending the masked value on PUT leaves it unchanged."}},"required":["name","issuerURL","audience"]},"Response":{"type":"object","description":"MCP OAuth provider object as returned by the API.","allOf":[{"$ref":"#/components/schemas/Request"},{"$ref":"#/components/schemas/ResourceResponse"},{"type":"object","properties":{"_userId":{"type":"string","format":"objectId","readOnly":true,"description":"Owning user ID."}}}]},"ResourceResponse":{"type":"object","description":"Response","properties":{"_id":{"type":"string","format":"objectId","readOnly":true,"description":"Unique identifier for the resource. Format is a 24-character hexadecimal string."},"createdAt":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp when the resource was created. Set automatically and cannot be modified."},"lastModified":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp when the resource was last updated. Changes whenever any property is modified."},"deletedAt":{"type":["string","null"],"format":"date-time","readOnly":true,"description":"Timestamp when the resource was soft-deleted. When null or absent, the resource is active."}}},"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}},"responses":{"400-bad-request":{"description":"Bad request. The server could not understand the request because of malformed syntax or invalid parameters.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n is invalid, revoked, or expired."}},"required":["message"]}}}},"422-unprocessable-entity":{"description":"Unprocessable entity. The request was well-formed but was unable to be followed due to semantic errors.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/v1/mcpoauthproviders":{"post":{"summary":"Create an MCP OAuth provider","description":"Creates a reusable OAuth provider that MCP servers can reference via\n`_mcpOAuthProviderId`. `name`, `issuerURL`, and `audience` are\nrequired. Set `useIntrospection: true` with `clientId`/`clientSecret`\nto support opaque (non-JWT) tokens.","operationId":"createMcpOauthProvider","tags":["MCP OAuth Providers"],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Request"}}}},"responses":{"201":{"description":"Created provider.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Response"}}}},"400":{"$ref":"#/components/responses/400-bad-request"},"401":{"$ref":"#/components/responses/401-unauthorized"},"422":{"$ref":"#/components/responses/422-unprocessable-entity"}}}}}} ``` ## Get an MCP OAuth provider > Returns the full configuration of an MCP OAuth provider. ```json {"openapi":"3.2.0","info":{"title":"MCP OAuth Providers","version":"1.0.0"},"tags":[{"name":"MCP OAuth Providers","description":"MCP OAuth providers are reusable OAuth 2.0 configurations referenced by\nMCP servers. Each provider holds an issuer URL, audience, optional scopes,\nand optional introspection settings. Multiple MCP servers can reference\nthe same provider via `_mcpOAuthProviderId`, avoiding duplicated OAuth\nconfiguration.\n\nProviders support two token validation modes: JWT validation against the\nissuer's JWKS endpoint (default), or RFC 7662 introspection for opaque\ntokens when `useIntrospection` is enabled with `clientId`/`clientSecret`."}],"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"Response":{"type":"object","description":"MCP OAuth provider object as returned by the API.","allOf":[{"$ref":"#/components/schemas/Request"},{"$ref":"#/components/schemas/ResourceResponse"},{"type":"object","properties":{"_userId":{"type":"string","format":"objectId","readOnly":true,"description":"Owning user ID."}}}]},"Request":{"type":"object","description":"Request body for creating or updating an MCP OAuth provider. On PUT,\nthis is a full replacement; include all fields you want to keep because\nomitted optional fields are cleared.","properties":{"name":{"type":"string","description":"Display name for the OAuth provider."},"description":{"type":"string","description":"Description of the provider's purpose."},"issuerURL":{"type":"string","format":"uri","description":"OAuth 2.0 issuer URL. Must include `http://` or `https://` scheme.\nBare hostnames are rejected."},"audience":{"type":"string","description":"Expected `aud` claim on incoming access tokens."},"scopes":{"type":"array","description":"Required OAuth scopes. Incoming tokens must carry every listed scope.","items":{"type":"string","enum":["mcp:read","mcp:write"]}},"useIntrospection":{"type":"boolean","default":false,"description":"When `true`, opaque access tokens are validated via the issuer's\nRFC 7662 introspection endpoint using `clientId`/`clientSecret`.\nWhen `false`, only JWT tokens validated against JWKS are accepted."},"clientId":{"type":["string","null"],"description":"OAuth client ID for token introspection. Required when\n`useIntrospection` is `true`."},"clientSecret":{"type":["string","null"],"description":"OAuth client secret for introspection. Masked as `\"******\"` in\nresponses; sending the masked value on PUT leaves it unchanged."}},"required":["name","issuerURL","audience"]},"ResourceResponse":{"type":"object","description":"Response","properties":{"_id":{"type":"string","format":"objectId","readOnly":true,"description":"Unique identifier for the resource. Format is a 24-character hexadecimal string."},"createdAt":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp when the resource was created. Set automatically and cannot be modified."},"lastModified":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp when the resource was last updated. Changes whenever any property is modified."},"deletedAt":{"type":["string","null"],"format":"date-time","readOnly":true,"description":"Timestamp when the resource was soft-deleted. When null or absent, the resource is active."}}},"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n is invalid, revoked, or expired."}},"required":["message"]}}}},"404-not-found":{"description":"Not found. The requested resource does not exist or is not visible to the caller.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/v1/mcpoauthproviders/{_id}":{"get":{"summary":"Get an MCP OAuth provider","description":"Returns the full configuration of an MCP OAuth provider.","operationId":"getMcpOauthProviderById","tags":["MCP OAuth Providers"],"parameters":[{"name":"_id","in":"path","description":"Provider ID.","required":true,"schema":{"type":"string","format":"objectId"}}],"responses":{"200":{"description":"Provider configuration.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Response"}}}},"401":{"$ref":"#/components/responses/401-unauthorized"},"404":{"$ref":"#/components/responses/404-not-found"}}}}}} ``` ## Update an MCP OAuth provider > Full replacement of an MCP OAuth provider's configuration --\ > include all fields, not just the ones you want to change. Send\ > \`clientSecret: "\*\*\*\*\*\*"\` to preserve the existing secret. Changes\ > propagate to all MCP servers referencing this provider. ```json {"openapi":"3.2.0","info":{"title":"MCP OAuth Providers","version":"1.0.0"},"tags":[{"name":"MCP OAuth Providers","description":"MCP OAuth providers are reusable OAuth 2.0 configurations referenced by\nMCP servers. Each provider holds an issuer URL, audience, optional scopes,\nand optional introspection settings. Multiple MCP servers can reference\nthe same provider via `_mcpOAuthProviderId`, avoiding duplicated OAuth\nconfiguration.\n\nProviders support two token validation modes: JWT validation against the\nissuer's JWKS endpoint (default), or RFC 7662 introspection for opaque\ntokens when `useIntrospection` is enabled with `clientId`/`clientSecret`."}],"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"schemas":{"Request":{"type":"object","description":"Request body for creating or updating an MCP OAuth provider. On PUT,\nthis is a full replacement; include all fields you want to keep because\nomitted optional fields are cleared.","properties":{"name":{"type":"string","description":"Display name for the OAuth provider."},"description":{"type":"string","description":"Description of the provider's purpose."},"issuerURL":{"type":"string","format":"uri","description":"OAuth 2.0 issuer URL. Must include `http://` or `https://` scheme.\nBare hostnames are rejected."},"audience":{"type":"string","description":"Expected `aud` claim on incoming access tokens."},"scopes":{"type":"array","description":"Required OAuth scopes. Incoming tokens must carry every listed scope.","items":{"type":"string","enum":["mcp:read","mcp:write"]}},"useIntrospection":{"type":"boolean","default":false,"description":"When `true`, opaque access tokens are validated via the issuer's\nRFC 7662 introspection endpoint using `clientId`/`clientSecret`.\nWhen `false`, only JWT tokens validated against JWKS are accepted."},"clientId":{"type":["string","null"],"description":"OAuth client ID for token introspection. Required when\n`useIntrospection` is `true`."},"clientSecret":{"type":["string","null"],"description":"OAuth client secret for introspection. Masked as `\"******\"` in\nresponses; sending the masked value on PUT leaves it unchanged."}},"required":["name","issuerURL","audience"]},"Response":{"type":"object","description":"MCP OAuth provider object as returned by the API.","allOf":[{"$ref":"#/components/schemas/Request"},{"$ref":"#/components/schemas/ResourceResponse"},{"type":"object","properties":{"_userId":{"type":"string","format":"objectId","readOnly":true,"description":"Owning user ID."}}}]},"ResourceResponse":{"type":"object","description":"Response","properties":{"_id":{"type":"string","format":"objectId","readOnly":true,"description":"Unique identifier for the resource. Format is a 24-character hexadecimal string."},"createdAt":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp when the resource was created. Set automatically and cannot be modified."},"lastModified":{"type":"string","format":"date-time","readOnly":true,"description":"Timestamp when the resource was last updated. Changes whenever any property is modified."},"deletedAt":{"type":["string","null"],"format":"date-time","readOnly":true,"description":"Timestamp when the resource was soft-deleted. When null or absent, the resource is active."}}},"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}},"responses":{"400-bad-request":{"description":"Bad request. The server could not understand the request because of malformed syntax or invalid parameters.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n is invalid, revoked, or expired."}},"required":["message"]}}}},"404-not-found":{"description":"Not found. The requested resource does not exist or is not visible to the caller.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"422-unprocessable-entity":{"description":"Unprocessable entity. The request was well-formed but was unable to be followed due to semantic errors.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}},"paths":{"/v1/mcpoauthproviders/{_id}":{"put":{"summary":"Update an MCP OAuth provider","description":"Full replacement of an MCP OAuth provider's configuration --\ninclude all fields, not just the ones you want to change. Send\n`clientSecret: \"******\"` to preserve the existing secret. Changes\npropagate to all MCP servers referencing this provider.","operationId":"updateMcpOauthProvider","tags":["MCP OAuth Providers"],"parameters":[{"name":"_id","in":"path","description":"Provider ID.","required":true,"schema":{"type":"string","format":"objectId"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/Request"}}}},"responses":{"200":{"description":"Updated provider.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Response"}}}},"400":{"$ref":"#/components/responses/400-bad-request"},"401":{"$ref":"#/components/responses/401-unauthorized"},"404":{"$ref":"#/components/responses/404-not-found"},"422":{"$ref":"#/components/responses/422-unprocessable-entity"}}}}}} ``` ## Delete an MCP OAuth provider > Deletes an MCP OAuth provider. MCP servers referencing this\ > provider via \`\_mcpOAuthProviderId\` will lose their OAuth\ > configuration. ```json {"openapi":"3.2.0","info":{"title":"MCP OAuth Providers","version":"1.0.0"},"tags":[{"name":"MCP OAuth Providers","description":"MCP OAuth providers are reusable OAuth 2.0 configurations referenced by\nMCP servers. Each provider holds an issuer URL, audience, optional scopes,\nand optional introspection settings. Multiple MCP servers can reference\nthe same provider via `_mcpOAuthProviderId`, avoiding duplicated OAuth\nconfiguration.\n\nProviders support two token validation modes: JWT validation against the\nissuer's JWKS endpoint (default), or RFC 7662 introspection for opaque\ntokens when `useIntrospection` is enabled with `clientId`/`clientSecret`."}],"servers":[{"url":"https://api.integrator.io","description":"Production (US / default region)"},{"url":"https://api.eu.integrator.io","description":"Production (EU region)"}],"security":[{"bearerAuth":[]}],"components":{"securitySchemes":{"bearerAuth":{"type":"http","scheme":"bearer"}},"responses":{"401-unauthorized":{"description":"Unauthorized. The request lacks a valid bearer token, or the provided token\nfailed to authenticate.\n\nNote: the 401 response is produced by the auth middleware **before** the\nrequest reaches the endpoint handler, so it does **not** follow the\nstandard `{errors: [...]}` envelope. Instead the body is a bare\n`{message: string}` object with no `code`, no `errors` array. Callers\nhandling 401s should key off the HTTP status and the `message` string,\nnot try to destructure an `errors[]`.","content":{"application/json":{"schema":{"type":"object","properties":{"message":{"type":"string","description":"Human-readable description of the auth failure. Known values:\n- `\"Unauthorized\"` — no `Authorization` header on the request.\n- `\"Bearer Authentication Failed\"` — header present but token\n is invalid, revoked, or expired."}},"required":["message"]}}}},"404-not-found":{"description":"Not found. The requested resource does not exist or is not visible to the caller.\n","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"schemas":{"Error":{"type":"object","description":"Standard error response envelope returned by integrator.io APIs.","properties":{"errors":{"type":"array","description":"List of errors that occurred while processing the request.","items":{"type":"object","properties":{"code":{"oneOf":[{"type":"string"},{"type":"integer"}],"description":"Machine-readable error code. Usually a string like\n`invalid_ref`, `missing_required_field`, or `unauthorized`;\nmay be an **integer** when the error mirrors an upstream HTTP\nstatus (e.g. `500`) — most commonly returned by connection-ping\nand adaptor-proxy responses."},"message":{"type":"string","description":"Human-readable description of the error."},"field":{"type":"string","description":"Optional pointer to the document field that caused the error.\nUsed by structural validation errors (`missing_required_field`,\n`invalid_ref`) to indicate which field is at fault\n(e.g. `_id`, `type`, `http.baseURI`)."},"source":{"type":"string","description":"Optional origin layer for the error — e.g. `application` when\nthe error came from the remote system the adaptor called,\n`connector` when the adaptor itself rejected the request."}},"required":["message"]}}},"required":["errors"]}}},"paths":{"/v1/mcpoauthproviders/{_id}":{"delete":{"summary":"Delete an MCP OAuth provider","description":"Deletes an MCP OAuth provider. MCP servers referencing this\nprovider via `_mcpOAuthProviderId` will lose their OAuth\nconfiguration.","operationId":"deleteMcpOauthProvider","tags":["MCP OAuth Providers"],"parameters":[{"name":"_id","in":"path","description":"Provider ID.","required":true,"schema":{"type":"string","format":"objectId"}}],"responses":{"204":{"description":"Deleted."},"401":{"$ref":"#/components/responses/401-unauthorized"},"404":{"$ref":"#/components/responses/404-not-found"}}}}}} ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developer.celigo.com/api/api-reference/mcp-oauth-providers.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.