Skip to main content
The Qwairy MCP server uses OAuth 2.1 with PKCE for secure authentication. This ensures your credentials are never shared with AI assistants — only a secure, scoped access token.

How It Works

OAuth Endpoints

EndpointURL
Discoveryhttps://mcp.qwairy.co/.well-known/oauth-authorization-server
Authorizationhttps://auth.qwairy.co/authorize
Tokenhttps://auth.qwairy.co/token

Available Scopes

Request only the scopes you need:
ScopeDescription
read:brandsList monitored brands
read:visibilityAccess performance metrics
read:competitorsView competitor data
read:sourcesAccess source/citation data
read:promptsList monitored prompts
read:answersRead AI responses
read:topicsView topic analytics
If no scopes are specified, all scopes are granted by default.

Token Lifecycle

TokenDurationRefresh
Access Token1 hourAutomatic via refresh token
Refresh Token30 daysNew token issued on use
Authorization Code5 minutesOne-time use

PKCE Support

The server supports both PKCE methods:
  • S256 (recommended) — SHA-256 hash of code verifier
  • plain — Code verifier sent as-is
Claude Desktop automatically uses S256 for maximum security.

Security Features

Your Qwairy password is never shared with Claude or any MCP client. Authentication happens directly with Qwairy’s auth server.
Tokens are scoped to specific data types. An MCP client can only access what you’ve authorized.
Tokens are tied to your team, not just your user account. All team members’ data for brands you have access to.
Access tokens expire after 1 hour. If a token is compromised, exposure is limited.
You can revoke access at any time from your Qwairy account settings.

Manual Token Exchange

For developers building custom MCP clients, here’s the token exchange flow:

1. Start Authorization

GET https://auth.qwairy.co/authorize
  ?response_type=code
  &client_id=mcp-client
  &redirect_uri=YOUR_CALLBACK_URL
  &scope=read:brands read:visibility
  &state=RANDOM_STATE
  &code_challenge=BASE64URL_SHA256_OF_VERIFIER
  &code_challenge_method=S256

2. Exchange Code for Tokens

POST https://auth.qwairy.co/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=AUTH_CODE_FROM_CALLBACK
&redirect_uri=YOUR_CALLBACK_URL
&code_verifier=ORIGINAL_CODE_VERIFIER
Response: 
{
  "access_token": "qw-mcp-abc123...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "qw-mcpr-xyz789...",
  "scope": "read:brands read:visibility"
}

3. Refresh Token

POST https://auth.qwairy.co/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
&refresh_token=qw-mcpr-xyz789...

Troubleshooting

”Invalid or expired token”

Your access token has expired. The MCP client should automatically refresh it. If the error persists, disconnect and reconnect.

”Insufficient scope”

The tool you’re trying to use requires a scope that wasn’t granted. Reconnect and authorize all requested scopes.

”Team not found”

Your Qwairy account doesn’t have an active team, or the team’s subscription has expired.