Meet Eden →
Agent Optimization 7 min read

Agent auth: OAuth + PKCE

PromptEden supports OAuth authorization code with S256 PKCE for provisioned agent connectors. Clients are seeded by PromptEden, not dynamically registered by the connector, and hosted MCP write tools still go through approvals and standing policies.

By PromptEden Team
Agent auth: OAuth + PKCE

Prerequisites

OAuth connector access requires a provisioned PromptEden client record. Dynamic client registration is not exposed.

Before you start, get these from PromptEden:

  • client_id
  • Allowed redirect URI list
  • Allowed scope list

Your connector must generate a PKCE code_verifier and S256 code_challenge for each authorization attempt.

Discovery URLs

PromptEden publishes OAuth metadata here:

GET https://app.prompteden.com/.well-known/oauth-authorization-server

The metadata advertises:

  • authorization_endpoint: https://app.prompteden.com/oauth/authorize
  • token_endpoint: https://app.prompteden.com/oauth/token
  • response_types_supported: code
  • grant_types_supported: authorization_code, refresh_token
  • code_challenge_methods_supported: S256
  • token_endpoint_auth_methods_supported: none

Hosted MCP protected-resource metadata is available at:

GET https://app.prompteden.com/.well-known/oauth-protected-resource

Authorization request

Send the user to PromptEden's authorization endpoint:

GET https://app.prompteden.com/oauth/authorize?response_type=code&client_id=YOUR_PROVISIONED_CLIENT_ID&redirect_uri=YOUR_REGISTERED_REDIRECT_URI&code_challenge=BASE64URL_SHA256_VERIFIER&code_challenge_method=S256&state=OPAQUE_STATE&scope=account:read%20projects:read%20monitors:read&resource=https%3A%2F%2Fapp.prompteden.com%2Fapi%2Fmcp

PromptEden requires:

  • response_type=code
  • A provisioned, enabled client_id
  • A registered redirect_uri
  • code_challenge_method=S256
  • A valid code_challenge
  • state
  • Scopes allowed for the seeded client

When resource is present, it must equal https://app.prompteden.com/api/mcp.

Token exchange

Exchange the code for tokens at /oauth/token. PromptEden treats these as public PKCE clients: do not send HTTP Basic auth and do not send client_secret.

curl -X POST https://app.prompteden.com/oauth/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=authorization_code' \
  --data-urlencode 'client_id=YOUR_PROVISIONED_CLIENT_ID' \
  --data-urlencode 'code=RETURNED_CODE' \
  --data-urlencode 'redirect_uri=YOUR_REGISTERED_REDIRECT_URI' \
  --data-urlencode 'code_verifier=ORIGINAL_CODE_VERIFIER'

The access token uses PromptEden's OAuth token prefix and can be sent as:

Authorization: Bearer poa_...

Refresh tokens are supported with grant_type=refresh_token.

Using OAuth tokens with MCP and REST

OAuth bearer tokens work with hosted MCP:

{
  "mcpServers": {
    "prompteden": {
      "url": "https://app.prompteden.com/api/mcp",
      "headers": {
        "Authorization": "Bearer poa_..."
      }
    }
  }
}

OAuth tokens may call raw REST routes only for read-scoped operations. For writes, use hosted MCP so PromptEden can return approval_required and route the action through app approvals.

Troubleshooting

unauthorized_client. The client_id is missing, disabled, unknown, or not provisioned by PromptEden.

invalid_request: redirect_uri is not allowed. The redirect URI does not exactly match the seeded client record.

invalid_request: PKCE code_challenge_method must be S256. Plain PKCE is not supported.

invalid_scope. The requested scope is not in the client's allowed scope list.

invalid_token. The access token is invalid or expired.

403 plan_limit. The authorized workspace does not have API access.

403 insufficient_scope. The OAuth token is valid but missing a scope required by the MCP tool or REST route.

403 oauth_write_not_allowed. The token was used on a raw REST write route. Use hosted MCP for approval-gated writes.

oauth pkce mcp agent-auth

Frequently asked questions

Can my agent dynamically register an OAuth client?

No. PromptEden OAuth clients are provisioned by PromptEden and stored as seeded client records.

Does PromptEden accept client_secret at the token endpoint?

No. The token endpoint is for public PKCE clients. Send client_id, code, redirect_uri, and code_verifier, but do not send client_secret or HTTP Basic auth.

Can OAuth tokens create or publish content through REST?

Raw REST writes with OAuth connector tokens are blocked. Use hosted MCP so the write proposal goes through PromptEden approvals and policies.

What scopes are available?

PromptEden supports account, monitor, result, project, and content scopes, including account:read, monitors:read, monitors:write, results:read, projects:read, projects:write, content:read, and content:write.

Provision an Agent Connector

Use OAuth + PKCE for connector clients and hosted MCP for approval-gated write actions.