Back to Help

Authorization and scopes

April 15, 2026

How OAuth works for OmniCon's MCP server — and how your account's access gates every call.

OmniCon's MCP server uses OAuth 2.0 with PKCE — the same pattern Claude uses for all hosted connectors.

The flow

  1. Your client registers dynamically with the server (no pre-shared secrets).
  2. The client opens https://mcp.omnicon.cloud/connect/authorize in your browser.
  3. You sign in with your normal OmniCon account.
  4. OmniCon redirects back to the client with an authorization code.
  5. The client exchanges the code for an access token. All subsequent tool calls carry it.

What the token can do

Tokens act as you. Every tool call runs against your user identity, so it can touch exactly the organizations, channels, and content your account can touch in the web editor — no more, no less.

If you lose access to a channel (removed from the org, role changed), the next call against that channel fails with a permission error without you needing to re-auth.

Revoking access

To disconnect a client, remove it from the connector list in your MCP client. To revoke all tokens system-wide, change your OmniCon password — existing tokens stop working.