OAuth 2.1 flow
The ScentSell MCP server implements OAuth 2.1 with PKCE and dynamic client registration as required by the MCP 2025-11-25 specification.
Discovery
Retrieve the server's OAuth metadata:
GET /.well-known/oauth-authorization-server
Response:
{
"issuer": "https://mcp.scentsell.com.au",
"authorization_endpoint": "https://mcp.scentsell.com.au/oauth/authorize",
"token_endpoint": "https://mcp.scentsell.com.au/oauth/token",
"registration_endpoint": "https://mcp.scentsell.com.au/oauth/register",
"response_types_supported": ["code"],
"grant_types_supported": ["authorization_code", "refresh_token"],
"code_challenge_methods_supported": ["S256"]
}
Dynamic client registration
MCP clients can register dynamically:
POST /oauth/register
Content-Type: application/json
{
"client_name": "My MCP Client",
"redirect_uris": ["https://myapp.example.com/callback"]
}
Response includes client_id for use in the authorisation flow.
Authorisation code flow (PKCE)
-
Generate PKCE code verifier and challenge (S256 method).
-
Redirect to authorisation endpoint:
GET /oauth/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&code_challenge=<challenge>&code_challenge_method=S256&state=<random_state> -
User signs in to ScentSell and authorises.
-
Authorisation code returned to redirect_uri.
-
Exchange code for tokens:
POST /oauth/tokenContent-Type: application/x-www-form-urlencodedgrant_type=authorization_code&code=<auth_code>&redirect_uri=<redirect_uri>&client_id=<client_id>&code_verifier=<verifier> -
Token response:
{"access_token": "<token>","refresh_token": "<refresh_token>","token_type": "Bearer","expires_in": 86400}
Token refresh
POST /oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=<refresh_token>
&client_id=<client_id>
Next steps: