# Authentication The Splattr MCP server uses OAuth 2.0 with Dynamic Client Registration. You authenticate with your existing Splattr account — no separate API keys or developer credentials needed. ## How it works 1. **Dynamic Client Registration** — When you add the Splattr MCP server to a client (Claude Code, Claude Desktop, etc.), the client automatically registers itself with the server. You don't need to manually create OAuth credentials. 2. **OAuth authorization flow** — On first use, your MCP client opens a browser window to Splattr's login page. Sign in with your Splattr account credentials. 3. **Token storage** — After authenticating, your client stores an access token and refresh token. The session persists across conversations — you won't be prompted again unless the token expires or you explicitly revoke access. 4. **Scopes** — The server requests `openid`, `email`, and `profile` scopes. No additional permissions beyond your standard Splattr account access are granted. ## Permissions The MCP server acts on behalf of your Splattr account. All operations are scoped to your organization: - Tools read and write data within your organization only - Credit charges apply to your organization's balance - CRM pushes use your organization's connected integrations ## Token expiry and refresh Access tokens refresh automatically in the background. If a token refresh fails (for example, if you revoke access in your Splattr account settings), you'll be prompted to re-authenticate the next time you use a Splattr tool. ## Revoking access To disconnect the Splattr MCP server from a client: **Claude Code:** ```bash claude mcp remove splattr ``` **Claude Desktop / Cursor:** Remove the server entry from your configuration file and restart the application. To revoke all active sessions, go to **Settings → Security** in your Splattr account and remove any active MCP sessions listed there. ## Troubleshooting **"No authenticated user in context"** — The token has expired or was revoked. Remove and re-add the server to trigger a fresh login. **Browser window doesn't open** — Some headless or remote environments can't open a browser. In this case, copy the authorization URL from your client's output and open it manually. **"Invalid client" error** — This can happen if your client's registration was deleted. Remove and re-add the server to re-register.