OAuth Authorization Code Flow

Overview

The OAuth Authorization Code Flow is designed for user authentication scenarios where a user grants permission to an application like Claude, ChatGPT, or your custom AI application.

The MCP authorization flow is complex. It requires the MCP client to self-discover metadata about the MCP server and the corresponding authorization server and then use that information to register a new OAuth client on behalf of the caller (called Dynamic Client Registration or DCR).

Integration Requirements

How complex it will be for you to integrate with the LRA MCP server depends on which parts of the authentication flow your client implements:

Full Implementation (Recommended)

If the client implements all steps including dynamic client registration and metadata self-discovery, then all that you should need is the URL of the MCP server: https://kfinance.kensho.com/integrations/mcp (opens in a new tab)

Partial Implementation

If the client implements dynamic client registration but does not implement metadata self-discovery, then you manually fetch the server metadata. If you need additional information about the MCP or auth server not included below, please let us know.

Required Endpoints

• OAuth Protected Resource Metadata: https://kfinance.kensho.com/.well-known/oauth-protected-resource/mcp (opens in a new tab)

  • Includes the URL of the authorization server, the supported scopes, and the supported bearer methods

• OAuth Authorization Server Metadata: https://kfinance.kensho.com/.well-known/oauth-authorization-server (opens in a new tab)

  • Includes URLs for authorization, token, and registration endpoint as well as supported response types, grant types, and token endpoint auth methods

Alternative Flow

If the client does not implement dynamic client registration, you may still be able to set up an AI application using the server-to-server authentication flow.

Get started with the Client Credentials Guide.