MCP Authentication
API key and OAuth 2.1 authentication for the Verbatik MCP server.
MCP Authentication
The Verbatik MCP server supports two authentication methods.
1. API Key Authentication
The simplest method. Use your Verbatik API key as a Bearer token:
This is the recommended approach for most integrations. Get your API key from the API Keys section in your workspace sidebar.
2. OAuth 2.1 Authentication
For MCP clients that support OAuth, Verbatik implements a full OAuth 2.1 flow:
- Dynamic Client Registration — MCP clients register themselves automatically.
- PKCE (Proof Key for Code Exchange) — Required for security. Supports the
S256method. - Authorization Code Flow — Standard OAuth authorization with user consent.
- Refresh Token Rotation — Tokens are automatically refreshed.
OAuth Endpoints
| Endpoint | URL |
|---|---|
| Authorization | https://api.verbatik.com/oauth/authorize |
| Token | https://api.verbatik.com/oauth/token |
| Registration | https://api.verbatik.com/oauth/register |
| Revocation | https://api.verbatik.com/oauth/revoke |
Token Lifetimes
| Token | Lifetime |
|---|---|
| Access Token | 1 hour |
| Refresh Token | 30 days |
| Authorization Code | 10 minutes |
Discovery Endpoints
| Endpoint | URL |
|---|---|
| Authorization Server Metadata | https://api.verbatik.com/.well-known/oauth-authorization-server |
| Protected Resource Metadata | https://api.verbatik.com/.well-known/oauth-protected-resource |
OAuth Flow Steps
- Discovery — The MCP client fetches OAuth metadata from the well-known endpoints.
- Registration — The client registers itself via the registration endpoint.
- Authorization — The user is redirected to Verbatik's authorization page.
- Workspace Selection — The user selects which workspace to authorize.
- Code Exchange — The client receives an authorization code and exchanges it for tokens (with PKCE verification).
- API Access — The client uses the access token for MCP requests.
- Token Refresh — When the access token expires, the client uses the refresh token to get a new one.