Security
OAuth
Claude.ai can connect to MiraDock without copying or exposing your write token.
Why OAuth?
OAuth is the safest path for browser-based connectors. Instead of asking you to paste a write token into another app, MiraDock shows a consent screen and issues scoped OAuth credentials to the connector after you approve it.
Who uses OAuth
MiraDock's current user-facing OAuth path is for Claude on the web and Claude Desktop connector flows. Token-based clients such as Claude Code, Cursor, Codex CLI, and legacy desktop setups still use bearer write tokens.
The OAuth flow
- Add MiraDock as a custom connector in Claude.ai or Claude Desktop.
- Claude sends you to MiraDock to authorize the connector.
- MiraDock asks you to sign in if you are not already signed in.
- You review the requested read and write permissions, then choose Allow.
- Claude receives OAuth tokens and the connection appears in Connected apps.
The shipped flow uses short-lived authorization codes, access tokens, and refresh tokens behind the scenes. As a user, the important controls are the consent screen and the Connected apps list.
Scopes
MiraDock currently exposes two OAuth scopes for MCP connectors.
| Scope | What it allows |
|---|---|
| mcp:read | Lets the connected app read MCP resources and use read-oriented tools as your account. |
| mcp:write | Lets the connected app use MCP write tools. OAuth access with this scope is treated as write scope by the MCP server. |
Managing connected apps
Open /app/mcp, then use the Connected apps section to see authorized OAuth clients, their scopes, when they were first authorized, and when they were last used.
Revoking access
Click Revoke next to a connected app in /app/mcp. MiraDock revokes the app's active OAuth tokens and consent record, so the app loses access immediately.