Xquik supports OAuth 2.1 with PKCE for MCP server authentication. This is used by browser-based MCP clients that cannot store static API keys, currently Claude.ai (web) and ChatGPT Developer Mode .
Most MCP clients (Claude Code, Cursor, VS Code, Windsurf, Codex CLI, OpenCode, Claude Desktop) use API key authentication instead. OAuth is only needed for clients that initiate auth through a browser login flow. How it works OAuth 2.1 Authorization Code with PKCE follows this sequence:
MCP Client Xquik │ │ │ 1. Register client │ │────────────────────────────────▶│ │◀────────────────────────────────│ │ client_id │ │ │ │ 2. Generate code_verifier │ │ + code_challenge │ │ │ │ 3. Redirect to /authorize │ │────────────────────────────────▶│ │ │ User logs in │ │ + approves access │ 4. Redirect back with code │ │◀────────────────────────────────│ │ │ │ 5. Exchange code + verifier │ │────────────────────────────────▶│ │◀────────────────────────────────│ │ access_token + refresh_token │ │ │ │ 6. Call MCP with Bearer token │ │────────────────────────────────▶│
Discovery Xquik publishes standard OAuth discovery documents so MCP clients can auto-configure endpoints.
curl https://xquik.com/.well-known/oauth-authorization-server
{ "issuer" : "https://xquik.com" , "authorization_endpoint" : "https://xquik.com/api/oauth/authorize" , "token_endpoint" : "https://xquik.com/api/oauth/token" , "registration_endpoint" : "https://xquik.com/api/oauth/register" , "scopes_supported" : [ "mcp:tools" ], "response_types_supported" : [ "code" ], "grant_types_supported" : [ "authorization_code" , "refresh_token" ], "code_challenge_methods_supported" : [ "S256" ], "token_endpoint_auth_methods_supported" : [ "none" , "client_secret_post" ], "revocation_endpoint" : "https://xquik.com/api/oauth/revoke" , "client_id_metadata_document_supported" : false }
curl https://xquik.com/.well-known/oauth-protected-resource
{ "resource" : "https://xquik.com/mcp" , "authorization_servers" : [ "https://xquik.com" ], "bearer_methods_supported" : [ "header" ], "scopes_supported" : [ "mcp:tools" ] }
Complete flow
Register a client
Register your MCP client to get a client_id. This is a one-time setup. curl -X POST https://xquik.com/api/oauth/register \ -H "Content-Type: application/json" \ -d '{ "client_name": "My MCP Client", "redirect_uris": ["https://myapp.example.com/callback"] }'
{ "client_id" : "550e8400-e29b-41d4-a716-446655440000" , "client_name" : "My MCP Client" , "redirect_uris" : [ "https://myapp.example.com/callback" ], "grant_types" : [ "authorization_code" , "refresh_token" ], "token_endpoint_auth_method" : "none" }
Redirect URI requirements:
Production: HTTPS only
Development: http://localhost and http://127.0.0.1 are allowed
Exact match required. No wildcards or subpath matching
Client types:
Public (token_endpoint_auth_method: "none"): Default. No client secret. Used by browser apps and MCP clients.Confidential (token_endpoint_auth_method: "client_secret_post"): Returns a client_secret in the registration response. Used by server-side apps. If you register a confidential client, the client_secret is returned once in the registration response. Store it securely.
Generate PKCE parameters
Generate a cryptographically random code_verifier and derive the code_challenge from it. import { randomBytes , createHash } from "node:crypto" ; const codeVerifier = randomBytes ( 32 ). toString ( "hex" ); const codeChallenge = createHash ( "sha256" ) . update ( codeVerifier ) . digest ( "base64url" );
The code_verifier must have sufficient entropy. Use at least 32 cryptographically random bytes (64 hex characters). Store the verifier securely on the client. You need it for the token exchange in step 5.
Redirect to authorization
Redirect the user to the Xquik authorization endpoint with the required query parameters. GET https://xquik.com/api/oauth/authorize ?response_type=code &client_id=550e8400-e29b-41d4-a716-446655440000 &redirect_uri=https://myapp.example.com/callback &code_challenge=a1b2c3d4e5f6... &code_challenge_method=S256 &scope=mcp:tools &state=random_csrf_token
Required parameters: Parameter Value response_typecodeclient_idUUID from client registration redirect_uriMust match a registered URI exactly code_challengeBase64url-encoded SHA256 digest of the code_verifier code_challenge_methodS256
Optional parameters: Parameter Default Description scopemcp:toolsOnly mcp:tools is supported stateOpaque value for CSRF protection resourcehttps://xquik.com/mcpTarget resource identifier
The scope and resource parameters default to the only supported values (mcp:tools and https://xquik.com/mcp). You can omit them.
The user sees a login page (Google OAuth or email magic link) followed by a consent screen. After approval, Xquik redirects back to your redirect_uri.
Receive the authorization code
After the user approves, Xquik redirects to your redirect_uri with a code parameter: https://myapp.example.com/callback?code=AUTH_CODE_HERE&state=random_csrf_token
Verify the state parameter matches the value you sent in step 3 to prevent CSRF attacks. The authorization code expires in 60 seconds and is single-use.
Exchange code for tokens
Exchange the authorization code and your code_verifier for an access token and refresh token. curl -X POST https://xquik.com/api/oauth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=authorization_code \ &code=AUTH_CODE_HERE \ &code_verifier=YOUR_CODE_VERIFIER \ &client_id=550e8400-e29b-41d4-a716-446655440000 \ &redirect_uri=https://myapp.example.com/callback"
{ "access_token" : "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2" , "token_type" : "Bearer" , "expires_in" : 86400 , "refresh_token" : "f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1" , "scope" : "mcp:tools" }
Use the access token
Pass the access token as a Bearer token in the Authorization header when connecting to the MCP server. curl https://xquik.com/mcp \ -H "Authorization: Bearer a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
Token lifetimes Token Lifetime Notes Access token 24 hours Use the refresh token to get a new one Refresh token 30 days Single-use. Each refresh issues a new pair Authorization code 60 seconds Single-use. Exchange immediately
Refresh tokens Access tokens expire after 24 hours. Use the refresh token to get a new access token without requiring the user to log in again.
curl -X POST https://xquik.com/api/oauth/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=refresh_token \ &refresh_token=f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1 \ &client_id=550e8400-e29b-41d4-a716-446655440000"
{ "access_token" : "NEW_ACCESS_TOKEN" , "token_type" : "Bearer" , "expires_in" : 86400 , "refresh_token" : "NEW_REFRESH_TOKEN" , "scope" : "mcp:tools" }
Refresh tokens are single-use . Each refresh request revokes the old refresh token and returns a new one. Always store the latest refresh token from each response.
Token revocation Revoke an access or refresh token when a user disconnects or your application no longer needs access.
curl -X POST https://xquik.com/api/oauth/revoke \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "token=ACCESS_OR_REFRESH_TOKEN \ &client_id=550e8400-e29b-41d4-a716-446655440000 \ &token_type_hint=access_token"
Parameter Required Description tokenYes The token to revoke client_idYes The client ID that owns the token token_type_hintNo access_token or refresh_token. Helps the server locate the token faster
Returns 200 with an empty body on success. If the token is already revoked or invalid, the server still returns 200 (per RFC 7009).
Revocation errors: Status Error When 400 invalid_requesttoken parameter is empty or missing400 invalid_requestclient_id parameter is empty or missing401 invalid_clientclient_id does not match a registered client
Scopes Scope Description mcp:toolsFull access to all MCP tools (search tweets, manage monitors, run extractions, run draws, etc.)
Only mcp:tools is supported. No partial scopes or scope combinations are available.
Client registration Request POST /api/oauth/register Content-Type: application/json
Field Type Required Description client_namestring Yes Display name shown on the consent screen redirect_urisstring[] Yes Allowed redirect URIs (1 or more) token_endpoint_auth_methodstring No none (default) or client_secret_postgrant_typesstring[] No Defaults to ["authorization_code", "refresh_token"]
Response Field Type Description client_idstring UUID. Use this in all subsequent OAuth requests client_namestring Echoed from request redirect_urisstring[] Echoed from request grant_typesstring[] Resolved grant types token_endpoint_auth_methodstring Resolved auth method client_secretstring Only present for confidential clients (client_secret_post) client_id_issued_atnumber Unix timestamp when the client ID was issued client_secret_expires_atnumber Always 0 (non-expiring). Only present for confidential clients
Error responses All errors follow the standard OAuth 2.0 error format:
{ "error" : "error_code" , "error_description" : "Human-readable description." }
Authorization errors Error When unsupported_response_typeresponse_type is not codeinvalid_requestMissing client_id, code_challenge, unknown client_id, or mismatched redirect_uri invalid_scopeScope is not mcp:tools invalid_targetResource is not https://xquik.com/mcp access_deniedUser denied the authorization request
Token errors Error When invalid_requestMissing code, code_verifier, client_id, or refresh_token invalid_grantCode/token is invalid, expired, or already used. Also: client_id mismatch, redirect_uri mismatch, or PKCE verification failed unsupported_grant_typeGrant type is not authorization_code or refresh_token invalid_targetResource is not https://xquik.com/mcp
Registration errors Error Description When Invalid request body— Request body is not valid JSON or not an object client_name is required— Missing or empty client_name invalid_client_metadataclient_name exceeds maximum lengthclient_name exceeds 256 charactersredirect_uris must be a non-empty array of strings— Missing, empty, or malformed redirect_uris invalid_client_metadataToo many redirect URIsExceeds the 10 redirect URI limit Invalid redirect URI: {uri}. Must be HTTPS or localhost.— URI is not HTTPS or localhost Invalid token_endpoint_auth_method. Must be one of: none, client_secret_post— Value is not none or client_secret_post grant_types must be an array of strings— Malformed grant_types invalid_client_metadataUnsupported grant typeGrant type is not authorization_code or refresh_token
Full example A complete Node.js implementation of the OAuth 2.1 flow:
import { randomBytes , createHash } from "node:crypto" ; import http from "node:http" ; const CLIENT_ID = "550e8400-e29b-41d4-a716-446655440000" ; const REDIRECT_URI = "http://localhost:8080/callback" ; // Step 1: Generate PKCE parameters const codeVerifier = randomBytes ( 32 ). toString ( "hex" ); const codeChallenge = createHash ( "sha256" ) . update ( codeVerifier ) . digest ( "base64url" ); const state = randomBytes ( 16 ). toString ( "hex" ); // Step 2: Build the authorization URL const authUrl = new URL ( "https://xquik.com/api/oauth/authorize" ); authUrl . searchParams . set ( "response_type" , "code" ); authUrl . searchParams . set ( "client_id" , CLIENT_ID ); authUrl . searchParams . set ( "redirect_uri" , REDIRECT_URI ); authUrl . searchParams . set ( "code_challenge" , codeChallenge ); authUrl . searchParams . set ( "code_challenge_method" , "S256" ); authUrl . searchParams . set ( "scope" , "mcp:tools" ); authUrl . searchParams . set ( "state" , state ); console . log ( "Open this URL in your browser:" ); console . log ( authUrl . toString ()); // Step 3: Start a local server to receive the callback const server = http . createServer ( async ( req , res ) => { const url = new URL ( req . url , "http://localhost:8080" ); if ( url . pathname !== "/callback" ) { res . writeHead ( 404 ); res . end (); return ; } const code = url . searchParams . get ( "code" ); const returnedState = url . searchParams . get ( "state" ); // Verify state to prevent CSRF if ( returnedState !== state ) { res . writeHead ( 400 ); res . end ( "State mismatch" ); return ; } // Step 4: Exchange the authorization code for tokens const tokenResponse = await fetch ( "https://xquik.com/api/oauth/token" , { method: "POST" , headers: { "Content-Type" : "application/x-www-form-urlencoded" }, body: new URLSearchParams ({ grant_type: "authorization_code" , code , code_verifier: codeVerifier , client_id: CLIENT_ID , redirect_uri: REDIRECT_URI , }), }); const tokens = await tokenResponse . json (); console . log ( "Access token:" , tokens . access_token ); console . log ( "Refresh token:" , tokens . refresh_token ); console . log ( "Expires in:" , tokens . expires_in , "seconds" ); res . writeHead ( 200 , { "Content-Type" : "text/plain" }); res . end ( "Authorization complete. You can close this tab." ); server . close (); }); server . listen ( 8080 );
Where to go next
MCP Server Connect AI agents to Xquik via MCP.
MCP Tools Reference All MCP tools with input/output schemas.
API Key Auth API key authentication for REST API and MCP.
Quickstart Get your API key and make your first request.
