AegisAegis
Dashboard
AegisAegis Developer Portal

Developer Search

Press ⌘K or Ctrl+K to jump through guides and public API docs for user-owned master key and scoped credential flows.

MCP Setup

OAuth-Only MCP Login

Configure local MCP clients with OAuth device flow only. No static API keys are required. The server mints short-lived, selector-scoped broker tokens after explicit user approval.

What the MCP stores locally

  • Ephemeral DPoP private key material for request proof signing.
  • Short-lived broker access token in memory only.
  • No long-lived static API key secrets.
  • Credential plaintext remains inaccessible to Aegis services without user-held key material.

Security defaults

  • Device flow token TTL defaults to 10 minutes and caps at 15 minutes.
  • Scopes must be explicit credential selector scopes.
  • Approval is bound to an authenticated user principal.
  • Every begin/approve/exchange action writes broker audit events.

Flow

  1. MCP generates local DPoP keypair and `pop_key_id`.
  2. Call `BeginMcpOauthDeviceAuthorization` to get `device_code` and `verification_uri`.
  3. User completes login/consent in browser and approves the device code.
  4. MCP polls `ExchangeMcpOauthDeviceAuthorization` until status `success`.
  5. MCP uses returned broker token for lease RPCs with sender-constrained request proofs.
sequenceDiagram
  participant MCP as Local MCP Server
  participant Aegis as Aegis Identity API
  participant User as End User
  participant Browser as Authenticated Browser

  MCP->>Aegis: BeginMcpOauthDeviceAuthorization
  Aegis-->>MCP: device_code + user_code + verification_uri
  MCP-->>User: "Open URL and enter code"
  User->>Browser: Login + consent
  Browser->>Aegis: ApproveMcpOauthDeviceAuthorization
  loop poll every interval_seconds
    MCP->>Aegis: ExchangeMcpOauthDeviceAuthorization
    Aegis-->>MCP: authorization_pending or success
  end
  Aegis-->>MCP: broker_token (short-lived, scoped)

Begin Request

{
  "tenant_id": "business-default",
  "requested_scopes": [
    "credential.lease.create:provider:gcp:app:billing-prod:account:deploy-bot",
    "credential.lease.redeem:provider:gcp:app:billing-prod:account:deploy-bot"
  ],
  "requested_ttl_seconds": 600,
  "pop_key_id": "mcp-key-2026-03",
  "client_display_name": "VS Code MCP"
}

Exchange Poll Request

{
  "device_code": "mdc_7f4f2b7c-7ac3-4e7f-a1c8-8f0ed6c0ddef"
}

Production Guardrails

  • Keep `ALLOW_INSECURE_USER_HEADER=false` in deployed environments.
  • Treat `access_denied` and `expired_token` as terminal states in MCP polling logic.
  • Rotate DPoP key material and enforce replay detection for lease requests.
  • Grant narrow selector scopes per app/account target, never broad wildcard grants.
Open API ExplorerOpen ArchitectureOpen Security Model