Connected Apps (OAuth)
Connect external MCP clients — Grok, ChatGPT Apps, Claude Desktop, Cursor, Windsurf — to your is.team account using OAuth 2.1 + PKCE. No tokens to copy or rotate. Each app walks a one-time consent flow, and you can disconnect any of them with one click from Account Settings.
Connecting an App
Most MCP clients only ask you for a server URL. is.team handles registration, consent, and token issuance automatically.
- 1
Open the MCP client
Open Grok's connector settings, ChatGPT's app catalogue, or your IDE's MCP configuration. Choose Add custom MCP server (or equivalent).
- 2
Enter the is.team MCP URL
Paste
https://is.team/mcpas the server URL. The client discovers OAuth metadata at/.well-known/oauth-protected-resourceand registers itself dynamically (RFC 7591). - 3
Approve the consent screen
You'll be redirected to is.team. Sign in if prompted, then choose which workspace(s) the app may access and click Allow. The app is redirected back with an access token.
- 4
Verify in Account Settings
Open Account Settings → Connected apps — the app should appear in the list with the workspace count and last token issuance time.
Info
OAuth-connected apps use the same ~113 MCP tools as personal API tokens. Pro and Max plans only — Free workspaces cannot be selected on the consent screen.
OAuth vs Personal API Tokens
is.team supports both connection methods. Pick whichever your client supports.
OAuth (Connected apps)
For third-party clients (Grok, ChatGPT Apps, Claude Desktop). One-click consent, scoped to specific workspaces, easy to disconnect, refresh tokens rotate automatically.
Personal API tokens
For your own scripts, the @isteam/mcp local package, or self-hosted agents. Long-lived, you copy the token once, and you control which workspaces it can reach.
Permissions & Scopes
Apps request a set of OAuth scopes upfront. The consent screen shows exactly what they will be able to do.
| Scope | What it grants |
|---|---|
| mcp | Full access to MCP tools — create cards, edit tasks, comment, attach files, use integrations. |
| mcp:read | Read-only — list cards, read tasks and comments, fetch chat history. No mutations. |
| openid | Stable account identifier (no profile data). |
| profile | Display name and profile picture. |
| Email address on the account. |
Tip
Workspace selection is enforced server-side. Even if an app holds the mcpscope, tools cannot reach a workspace you didn't check on the consent screen.
Disconnecting an App
Disconnecting revokes every access and refresh token immediately. The app must walk the consent flow again before it can call the API.
- 1
Open Account Settings
Click your avatar in the top-right corner and choose Account Settings.
- 2
Switch to Connected apps
Select the Connected apps tab. Each row shows the app name, scopes, workspace count, and the date of its last token.
- 3
Click the trash icon
Find the app and click the trash icon on the right. Confirm in the dialog — tokens are revoked atomically.
For Client Developers
Building an MCP client and want users to authenticate with is.team? The server implements the standard MCP authorization spec — discovery, dynamic registration, authorization code with PKCE, refresh-token rotation, and revocation.
Discovery
Two discovery documents are available, both unauthenticated:
# Authorization server metadata (RFC 8414)curl https://is.team/.well-known/oauth-authorization-server# MCP-protected resource metadatacurl https://is.team/.well-known/oauth-protected-resourceDynamic Client Registration
Register your client at runtime (RFC 7591). No pre-registration required.
curl -X POST https://is.team/api/oauth/register \ -H "Content-Type: application/json" \ -d '{ "client_name": "My MCP Client", "client_uri": "https://example.com", "logo_uri": "https://example.com/logo.png", "redirect_uris": ["https://example.com/oauth/callback"], "scope": "mcp openid profile email" }'Authorization Code + PKCE
Send the user to the authorize endpoint with an S256 PKCE challenge:
https://is.team/oauth/authorize? response_type=code &client_id={client_id} &redirect_uri={redirect_uri} &scope=mcp%20openid%20profile%20email &state={state} &code_challenge={code_challenge} &code_challenge_method=S256Token Exchange
Exchange the authorization code for an access + refresh token:
curl -X POST https://is.team/api/oauth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=authorization_code" \ -d "code={authorization_code}" \ -d "redirect_uri={redirect_uri}" \ -d "client_id={client_id}" \ -d "code_verifier={code_verifier}"Refresh & Revocation
Refresh tokens rotate on every use (RFC 6749 §10.4) — the previous refresh token is revoked atomically. To explicitly revoke a token, call the standard RFC 7009 endpoint:
curl -X POST https://is.team/api/oauth/revoke \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "token={access_or_refresh_token}" \ -d "client_id={client_id}"Calling the MCP Endpoint
Send the access token as a Bearer credential. Failed requests return a WWW-Authenticate header pointing back at the discovery document, so MCP clients can re-run the OAuth flow automatically.
curl https://is.team/mcp \ -H "Authorization: Bearer ist_at_..." \ -H "Content-Type: application/json"Security Notes
- • Access tokens live 1 hour, refresh tokens 30 days.
- • Tokens are stored hashed (SHA-256). The raw token is shown to the client only once.
- • Only the S256 PKCE method is accepted — plain code verifiers are rejected.
- • Refresh-token rotation: old refresh tokens are revoked the moment a new one is minted.
- • Disconnecting an app from Account Settings revokes every active token for that client immediately.
