OAuth Authorization Code Flow
Overview
The OAuth Authorization Code Flow is designed for user authentication scenarios where a user grants permission to an application like Claude, ChatGPT, or your custom AI application.
The MCP authorization flow is complex. It requires the MCP client to self-discover metadata about the MCP server and the corresponding authorization server and then use that information to register a new OAuth client on behalf of the caller (called Dynamic Client Registration or DCR).
Integration Requirements
How complex it will be for you to integrate with the LRA MCP server depends on which parts of the authentication flow your client implements:
Full Implementation (Recommended)
If the client implements all steps including dynamic client registration and metadata self-discovery, then all that you should need is the URL of the MCP server: https://kfinance.kensho.com/integrations/mcp (opens in a new tab)
Partial Implementation
If the client implements dynamic client registration but does not implement metadata self-discovery, then you manually fetch the server metadata. If you need additional information about the MCP or auth server not included below, please let us know.
Required Endpoints
-
OAuth Protected Resource Metadata: https://kfinance.kensho.com/.well-known/oauth-protected-resource/mcp (opens in a new tab)
- Includes the URL of the authorization server, the supported scopes, and the supported bearer methods
-
OAuth Authorization Server Metadata: https://kfinance.kensho.com/.well-known/oauth-authorization-server (opens in a new tab)
- Includes URLs for authorization, token, and registration endpoint as well as supported response types, grant types, and token endpoint auth methods
Alternative Flow
If the client does not implement dynamic client registration, please reach out to support@kensho.com and we will manually provision a client ID for you.
Both private/public key pair and client secret authentication methods are possible. Kensho prefers the use of a private/public key pair. Get started using the Public/Private Key Authentication Guide.
If your platform does not support key pair authentication, reach out to support@kensho.com and we will provision a client ID with client secret authentication for you instead.