Aegis

Aegis Workspace

Developer

Checking session...
AegisAegis Developer Portal

Developer Search

Press ⌘K or Ctrl+K to jump through guides and API endpoint docs.

MCP Setup

OAuth-Only MCP Login

Configure local MCP clients with OAuth device flow only. No static API keys are required. After user approval, the MCP receives a short-lived access token for API calls.

What the MCP stores locally

  • Ephemeral DPoP private key material for request proof signing.
  • Short-lived broker access token in memory only.
  • No long-lived static API key secrets.
  • Credential plaintext remains inaccessible to Aegis services without user-held key material.

Security defaults

  • Device flow token TTL defaults to 10 minutes and caps at 15 minutes.
  • Request only the operations your MCP integration needs.
  • Approval is bound to an authenticated user principal.
  • Every begin/approve/exchange action writes broker audit events.

Flow

  1. MCP generates local DPoP keypair and `pop_key_id`.
  2. Call `BeginMcpOauthDeviceAuthorization` to get `device_code` and `verification_uri`.
  3. User completes login/consent in browser and approves the device code.
  4. MCP polls `ExchangeMcpOauthDeviceAuthorization` until status `success`.
  5. MCP uses returned broker token for lease RPCs with sender-constrained request proofs.
sequenceDiagram
  participant MCP as Local MCP Server
  participant Aegis as Aegis Identity API
  participant User as End User
  participant Browser as Authenticated Browser

  MCP->>Aegis: BeginMcpOauthDeviceAuthorization
  Aegis-->>MCP: device_code + user_code + verification_uri
  MCP-->>User: "Open URL and enter code"
  User->>Browser: Login + consent
  Browser->>Aegis: ApproveMcpOauthDeviceAuthorization
  loop poll every interval_seconds
    MCP->>Aegis: ExchangeMcpOauthDeviceAuthorization
    Aegis-->>MCP: authorization_pending or success
  end
  Aegis-->>MCP: broker_token (short-lived)

Begin Request

{
  "tenant_id": "business-default",
  "requested_ttl_seconds": 600,
  "pop_key_id": "mcp-key-2026-03",
  "client_display_name": "VS Code MCP"
}

Exchange Poll Request

{
  "device_code": "mdc_7f4f2b7c-7ac3-4e7f-a1c8-8f0ed6c0ddef"
}

Production Guardrails

  • Treat `access_denied` and `expired_token` as terminal states in MCP polling logic.
  • Rotate DPoP key material and enforce replay detection for lease requests.
  • Keep broker access tokens in memory only and clear them on process shutdown.
  • Allow outbound MCP token calls only to approved Aegis API hosts.
Open API ExplorerOpen ArchitectureOpen Security Model