MCP OAuth Clients
Package: agentrouter.mcp.v1 Service: McpOAuthClientsService
Endpoints
Create an MCP OAuth client
What it does: Registers a new OAuth client under a project. The client_secret is wrapped by the secret service and discarded; only an sm:// reference is persisted.
Request fields:
| Field | Required | Description | |
|---|---|---|---|
customer_id | no | Defaults to the caller's session customer when empty. | |
project_id | no | Defaults to the caller's session project when empty. | |
provider | yes | Required: stable provider key, e.g. "github". | |
provider_name | yes | Required: human-friendly provider display name. | |
client_id | yes | Required: OAuth client id from the provider. | |
client_secret | yes | Required: OAuth client secret. WRITE-ONLY -- wrapped by the secret service and never returned on any response. | |
authorization_url | yes | Required: OAuth authorization endpoint URL. | |
token_url | yes | Required: OAuth token endpoint URL. | |
scopes | no | Optional: requested OAuth scopes. | |
redirect_uris | no | Optional: allowed redirect URIs. | |
metadata | no | Optional: free-form provider configuration. | |
server_ids | no | Optional: MCP server ids this client serves. | |
status | no | Optional: initial status ("active" | "inactive"). Defaults to "active" when empty. |
Response fields:
| Field | Required | Description | ||
|---|---|---|---|---|
id | output-only | Server-assigned uuid row id. Output-only. | ||
customer_id | output-only | Owning customer scope. Defaults to the caller's session customer when empty on the request; immutable once set. | ||
project_id | output-only | Owning project scope. Defaults to the caller's session project when empty on the request; immutable once set. | ||
provider | yes | Stable provider key, e.g. "github", "google". Unique per (customer, project). Required on create. | ||
provider_name | yes | Human-friendly display name for the provider, e.g. "GitHub". | ||
client_id | yes | OAuth client id issued by the upstream provider. | ||
authorization_url | yes | OAuth authorization endpoint URL. | ||
token_url | yes | OAuth token endpoint URL. | ||
scopes | no | OAuth scopes requested during the authorization flow. | ||
redirect_uris | no | Allowed redirect URIs for the authorization-code flow. | ||
metadata | no | Free-form provider configuration (discovery_url, token_auth_method, ...). Mirrors the dashboard's jsonb metadata column. | ||
server_ids | no | MCP server ids this client serves. Empty means "all servers in the project". | ||
status | no | Lifecycle status: "active" | "inactive" | "revoked". |
created_at | output-only | Row creation time. Output-only. | ||
updated_at | output-only | Last mutation time. Output-only. |
{"signatures":{"go":"c.McpOAuthClients().CreateMcpOAuthClient(ctx, \u0026mcpv1.CreateMcpOAuthClientRequest{...})","python":"client.mcpoauthclients.createmcpoauthclient(...)","typescript":"client.mcpoauthclients.createmcpoauthclient({...})","cli":"tare api mcp oauth-clients create --provider $PROVIDER --provider-name $PROVIDER_NAME --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --authorization-url $AUTHORIZATION_URL --token-url $TOKEN_URL","curl":"curl -X POST \"${AGENTROUTER_BASE_URL}/v1/customers/cust_01H.../projects/proj_01H.../mcp-oauth-clients\" \\\n -H \"Authorization: Bearer ak-${AGENTROUTER_API_KEY}\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"provider\": \"...\",\n \"provider_name\": \"...\",\n \"client_id\": \"...\",\n \"client_secret\": \"...\",\n \"authorization_url\": \"...\",\n \"token_url\": \"...\",\n \"scopes\": [],\n \"redirect_uris\": [],\n \"metadata\": {},\n \"server_ids\": [],\n \"status\": \"...\"\n }'"},"examples":{"go":"// No Go SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","python":"# No Python SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","typescript":"// No TypeScript SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","cli":"tare api mcp oauth-clients create --provider $PROVIDER --provider-name $PROVIDER_NAME --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --authorization-url $AUTHORIZATION_URL --token-url $TOKEN_URL","curl":"curl -X POST \"${AGENTROUTER_BASE_URL}/v1/customers/cust_01H.../projects/proj_01H.../mcp-oauth-clients\" \\\n -H \"Authorization: Bearer ak-${AGENTROUTER_API_KEY}\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"provider\": \"...\",\n \"provider_name\": \"...\",\n \"client_id\": \"...\",\n \"client_secret\": \"...\",\n \"authorization_url\": \"...\",\n \"token_url\": \"...\",\n \"scopes\": [],\n \"redirect_uris\": [],\n \"metadata\": {},\n \"server_ids\": [],\n \"status\": \"...\"\n }'"},"persona":"Authenticated (API key or session token)","httpVerb":"POST","httpPath":"/v1/customers/{customer_id}/projects/{project_id}/mcp-oauth-clients","slug":"create-an-mcp-oauth-client"}Get an MCP OAuth client
What it does: Returns a single OAuth client by id. Never returns the client_secret. Account tier: any project member may read.
Request fields:
| Field | Required | Description |
|---|---|---|
customer_id | no | Defaults to the caller's session customer when empty. |
project_id | no | Defaults to the caller's session project when empty. |
id | yes | Required: uuid of the client to fetch (McpOAuthClient.id). |
Response fields:
| Field | Required | Description | ||
|---|---|---|---|---|
id | output-only | Server-assigned uuid row id. Output-only. | ||
customer_id | output-only | Owning customer scope. Defaults to the caller's session customer when empty on the request; immutable once set. | ||
project_id | output-only | Owning project scope. Defaults to the caller's session project when empty on the request; immutable once set. | ||
provider | yes | Stable provider key, e.g. "github", "google". Unique per (customer, project). Required on create. | ||
provider_name | yes | Human-friendly display name for the provider, e.g. "GitHub". | ||
client_id | yes | OAuth client id issued by the upstream provider. | ||
authorization_url | yes | OAuth authorization endpoint URL. | ||
token_url | yes | OAuth token endpoint URL. | ||
scopes | no | OAuth scopes requested during the authorization flow. | ||
redirect_uris | no | Allowed redirect URIs for the authorization-code flow. | ||
metadata | no | Free-form provider configuration (discovery_url, token_auth_method, ...). Mirrors the dashboard's jsonb metadata column. | ||
server_ids | no | MCP server ids this client serves. Empty means "all servers in the project". | ||
status | no | Lifecycle status: "active" | "inactive" | "revoked". |
created_at | output-only | Row creation time. Output-only. | ||
updated_at | output-only | Last mutation time. Output-only. |
{"signatures":{"go":"c.McpOAuthClients().GetMcpOAuthClient(ctx, \u0026mcpv1.GetMcpOAuthClientRequest{...})","python":"client.mcpoauthclients.getmcpoauthclient(...)","typescript":"client.mcpoauthclients.getmcpoauthclient({...})","cli":"tare api mcp oauth-clients get \u003cid\u003e","curl":"curl \"${AGENTROUTER_BASE_URL}/v1/customers/cust_01H.../projects/proj_01H.../mcp-oauth-clients/01H...\" \\\n -H \"Authorization: Bearer ak-${AGENTROUTER_API_KEY}\""},"examples":{"go":"// No Go SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","python":"# No Python SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","typescript":"// No TypeScript SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","cli":"tare api mcp oauth-clients get \u003cid\u003e","curl":"curl \"${AGENTROUTER_BASE_URL}/v1/customers/cust_01H.../projects/proj_01H.../mcp-oauth-clients/01H...\" \\\n -H \"Authorization: Bearer ak-${AGENTROUTER_API_KEY}\""},"persona":"Authenticated (API key or session token)","httpVerb":"GET","httpPath":"/v1/customers/{customer_id}/projects/{project_id}/mcp-oauth-clients/{id}","slug":"get-an-mcp-oauth-client"}List MCP OAuth clients
What it does: Lists every non-deleted OAuth client in the (customer, project) scope. Account tier: any project member may read.
Request fields:
| Field | Required | Description |
|---|---|---|
customer_id | no | Defaults to the caller's session customer when empty. |
project_id | no | Defaults to the caller's session project when empty. |
page | no | Cursor-pagination inputs (page size + continuation token). |
Response fields:
| Field | Required | Description |
|---|---|---|
clients | no | OAuth clients in the requested scope (metadata only, no secrets). |
page | no | Cursor-pagination outputs (next-page token). |
{"signatures":{"go":"c.McpOAuthClients().ListMcpOAuthClients(ctx, \u0026mcpv1.ListMcpOAuthClientsRequest{...})","python":"client.mcpoauthclients.listmcpoauthclients(...)","typescript":"client.mcpoauthclients.listmcpoauthclients({...})","cli":"tare api mcp oauth-clients list","curl":"curl \"${AGENTROUTER_BASE_URL}/v1/customers/cust_01H.../projects/proj_01H.../mcp-oauth-clients\" \\\n -H \"Authorization: Bearer ak-${AGENTROUTER_API_KEY}\""},"examples":{"go":"// No Go SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","python":"# No Python SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","typescript":"// No TypeScript SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","cli":"tare api mcp oauth-clients list","curl":"curl \"${AGENTROUTER_BASE_URL}/v1/customers/cust_01H.../projects/proj_01H.../mcp-oauth-clients\" \\\n -H \"Authorization: Bearer ak-${AGENTROUTER_API_KEY}\""},"persona":"Authenticated (API key or session token)","httpVerb":"GET","httpPath":"/v1/customers/{customer_id}/projects/{project_id}/mcp-oauth-clients","slug":"list-mcp-oauth-clients"}Update an MCP OAuth client
What it does: Applies a partial patch. Omitted scalar strings ("") leave the existing value untouched. A non-empty client_secret rotates the wrapped secret in place.
Request fields:
| Field | Required | Description |
|---|---|---|
customer_id | no | Defaults to the caller's session customer when empty. |
project_id | no | Defaults to the caller's session project when empty. |
id | yes | Required: uuid of the client to update (McpOAuthClient.id). |
provider_name | no | Mutable scalar fields. Empty string leaves the existing value untouched. |
client_id | no | undocumented |
client_secret | no | Optional: a non-empty value rotates the wrapped client secret in place. Empty leaves the stored secret untouched. WRITE-ONLY. |
authorization_url | no | undocumented |
token_url | no | undocumented |
status | no | undocumented |
scopes | no | Repeated / map fields: a non-nil value REPLACES the stored value; a nil/omitted value leaves it untouched (see the replace_* flags). |
redirect_uris | no | undocumented |
metadata | no | undocumented |
server_ids | no | undocumented |
replace_scopes | no | Because proto3 cannot distinguish an omitted repeated/map field from an explicit "set to empty", these booleans opt in to clearing the matching collection. When false, an empty scopes/redirect_uris/ metadata/server_ids is treated as "leave untouched". |
replace_redirect_uris | no | undocumented |
replace_metadata | no | undocumented |
replace_server_ids | no | undocumented |
Response fields:
| Field | Required | Description | ||
|---|---|---|---|---|
id | output-only | Server-assigned uuid row id. Output-only. | ||
customer_id | output-only | Owning customer scope. Defaults to the caller's session customer when empty on the request; immutable once set. | ||
project_id | output-only | Owning project scope. Defaults to the caller's session project when empty on the request; immutable once set. | ||
provider | yes | Stable provider key, e.g. "github", "google". Unique per (customer, project). Required on create. | ||
provider_name | yes | Human-friendly display name for the provider, e.g. "GitHub". | ||
client_id | yes | OAuth client id issued by the upstream provider. | ||
authorization_url | yes | OAuth authorization endpoint URL. | ||
token_url | yes | OAuth token endpoint URL. | ||
scopes | no | OAuth scopes requested during the authorization flow. | ||
redirect_uris | no | Allowed redirect URIs for the authorization-code flow. | ||
metadata | no | Free-form provider configuration (discovery_url, token_auth_method, ...). Mirrors the dashboard's jsonb metadata column. | ||
server_ids | no | MCP server ids this client serves. Empty means "all servers in the project". | ||
status | no | Lifecycle status: "active" | "inactive" | "revoked". |
created_at | output-only | Row creation time. Output-only. | ||
updated_at | output-only | Last mutation time. Output-only. |
{"signatures":{"go":"c.McpOAuthClients().UpdateMcpOAuthClient(ctx, \u0026mcpv1.UpdateMcpOAuthClientRequest{...})","python":"client.mcpoauthclients.updatemcpoauthclient(...)","typescript":"client.mcpoauthclients.updatemcpoauthclient({...})","cli":"tare api mcp oauth-clients update --id $ID","curl":"curl -X PATCH \"${AGENTROUTER_BASE_URL}/v1/customers/cust_01H.../projects/proj_01H.../mcp-oauth-clients/01H...\" \\\n -H \"Authorization: Bearer ak-${AGENTROUTER_API_KEY}\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"provider_name\": \"...\",\n \"client_id\": \"...\",\n \"client_secret\": \"...\",\n \"authorization_url\": \"...\",\n \"token_url\": \"...\",\n \"status\": \"...\",\n \"scopes\": [],\n \"redirect_uris\": [],\n \"metadata\": {},\n \"server_ids\": [],\n \"replace_scopes\": false,\n \"replace_redirect_uris\": false,\n \"replace_metadata\": false,\n \"replace_server_ids\": false\n }'"},"examples":{"go":"// No Go SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","python":"# No Python SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","typescript":"// No TypeScript SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","cli":"tare api mcp oauth-clients update --id $ID","curl":"curl -X PATCH \"${AGENTROUTER_BASE_URL}/v1/customers/cust_01H.../projects/proj_01H.../mcp-oauth-clients/01H...\" \\\n -H \"Authorization: Bearer ak-${AGENTROUTER_API_KEY}\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\n \"provider_name\": \"...\",\n \"client_id\": \"...\",\n \"client_secret\": \"...\",\n \"authorization_url\": \"...\",\n \"token_url\": \"...\",\n \"status\": \"...\",\n \"scopes\": [],\n \"redirect_uris\": [],\n \"metadata\": {},\n \"server_ids\": [],\n \"replace_scopes\": false,\n \"replace_redirect_uris\": false,\n \"replace_metadata\": false,\n \"replace_server_ids\": false\n }'"},"persona":"Authenticated (API key or session token)","httpVerb":"PATCH","httpPath":"/v1/customers/{customer_id}/projects/{project_id}/mcp-oauth-clients/{id}","slug":"update-an-mcp-oauth-client"}Delete an MCP OAuth client
What it does: Soft-deletes a client (deleted_at set).
Request fields:
| Field | Required | Description |
|---|---|---|
customer_id | no | Defaults to the caller's session customer when empty. |
project_id | no | Defaults to the caller's session project when empty. |
id | yes | Required: uuid of the client to soft-delete (McpOAuthClient.id). |
{"signatures":{"go":"c.McpOAuthClients().DeleteMcpOAuthClient(ctx, \u0026mcpv1.DeleteMcpOAuthClientRequest{...})","python":"client.mcpoauthclients.deletemcpoauthclient(...)","typescript":"client.mcpoauthclients.deletemcpoauthclient({...})","cli":"tare api mcp oauth-clients delete \u003cid\u003e","curl":"curl -X DELETE \"${AGENTROUTER_BASE_URL}/v1/customers/cust_01H.../projects/proj_01H.../mcp-oauth-clients/01H...\" \\\n -H \"Authorization: Bearer ak-${AGENTROUTER_API_KEY}\""},"examples":{"go":"// No Go SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","python":"# No Python SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","typescript":"// No TypeScript SDK wrapper for McpOAuthClientsService yet -- use the CLI or curl example below.","cli":"tare api mcp oauth-clients delete \u003cid\u003e","curl":"curl -X DELETE \"${AGENTROUTER_BASE_URL}/v1/customers/cust_01H.../projects/proj_01H.../mcp-oauth-clients/01H...\" \\\n -H \"Authorization: Bearer ak-${AGENTROUTER_API_KEY}\""},"persona":"Authenticated (API key or session token)","httpVerb":"DELETE","httpPath":"/v1/customers/{customer_id}/projects/{project_id}/mcp-oauth-clients/{id}","slug":"delete-an-mcp-oauth-client"}