> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nylio.app/llms.txt
> Use this file to discover all available pages before exploring further.

# MCP authentication

> OAuth configuration, discovery endpoints, and dynamic client registration for Nylio's MCP transport.

Nylio's MCP endpoint is protected by OAuth 2.1.

## Issuer

```txt theme={null}
https://api.nylio.app/api/auth
```

## Resource metadata

These endpoints help MCP clients discover the protected resources and issuer metadata:

* API resource metadata: `https://api.nylio.app/api/public/v1/.well-known/oauth-protected-resource`
* MCP resource metadata: `https://api.nylio.app/api/public/v1/mcp/.well-known/oauth-protected-resource`
* Authorization server metadata: `https://api.nylio.app/api/auth/.well-known/oauth-authorization-server`
* OpenID configuration: `https://api.nylio.app/api/auth/.well-known/openid-configuration`

Some OAuth client libraries append `/.well-known/` to the issuer path instead of prepending it. These alternate discovery URLs also work:

* `https://api.nylio.app/.well-known/oauth-authorization-server/api/auth`
* `https://api.nylio.app/.well-known/openid-configuration/api/auth`

## Audience

Request access tokens for the MCP audience:

```txt theme={null}
https://api.nylio.app/api/public/v1/mcp
```

## Scopes

Request the scopes you need:

* `workspace:read`
* `document:read`
* `document:write`
* `search:read`

## Dynamic client registration

Nylio supports OAuth Dynamic Client Registration. MCP clients can self-register without pre-shared credentials.

Dynamically registered clients receive these default scopes:

* `workspace:read`
* `document:read`
* `document:write`
* `search:read`

### Connection flow

1. Fetch the MCP resource metadata from `https://api.nylio.app/api/public/v1/mcp/.well-known/oauth-protected-resource`.
2. Follow the authorization server metadata link.
3. Use the returned `registration_endpoint` to register the client.
4. Run the OAuth authorization code flow with PKCE for the MCP audience.

If your MCP client supports OAuth discovery and dynamic registration natively, pointing it at the MCP resource metadata endpoint is usually enough.