Connect any MCP client
SharedMemory's remote MCP server is a vanilla MCP endpoint with OAuth 2.1 authentication. Any MCP client that supports remote HTTP servers can connect — whether it's a published AI app or your own internal tool.
The discovery flow​
Point your client at:
https://api.sharedmemory.ai/mcp
A well-behaved client will:
- Make a request to
/mcpwithout auth - Receive a
401 Unauthorizedwith this header:WWW-Authenticate: Bearer realm="SharedMemory",error="invalid_token",resource_metadata="https://api.sharedmemory.ai/.well-known/oauth-protected-resource" - Fetch the resource metadata to discover the auth server (also us)
- Fetch
/.well-known/oauth-authorization-serverfor OAuth endpoints - Register itself with
POST /oauth/register(RFC 7591) - Drive the user through
GET /oauth/authorizewith PKCE - Exchange the resulting code at
POST /oauth/token - Use the issued
access_tokenas a Bearer for every subsequent/mcpcall
Everything here is standard. Any reference OAuth 2.1 + MCP client implementation will Just Work.
Endpoints​
| Endpoint | Purpose |
|---|---|
GET /.well-known/oauth-protected-resource | Resource metadata (RFC 9728) |
GET /.well-known/oauth-authorization-server | Authorization server metadata (RFC 8414) |
POST /oauth/register | Dynamic Client Registration (RFC 7591) |
GET /oauth/authorize | Authorization request — redirects user to consent |
POST /oauth/token | Token endpoint — code → access_token + refresh_token |
POST /oauth/revoke | Token revocation (RFC 7009) |
POST /mcp | JSON-RPC MCP requests (Streamable HTTP transport) |
GET /mcp | Optional SSE event stream for server→client notifications |
Required parameters​
OAuth authorize:
| Parameter | Required | Notes |
|---|---|---|
response_type | yes | Must be code |
client_id | yes | From DCR or pre-provisioned |
redirect_uri | yes | Must exactly match a registered URI |
code_challenge | yes | PKCE, S256 only |
code_challenge_method | yes | Must be S256 |
state | recommended | CSRF protection |
scope | optional | Space-delimited; defaults to memory:read memory:write feedback documents:read |
Supported scopes:
memory:readmemory:writememory:deletefeedbackdocuments:readoffline_access— issue a refresh token
Token lifetimes​
- Access token: 1 hour
- Refresh token: 90 days, single-use (rotated on every refresh)
Use the refresh token via grant_type=refresh_token to get a new access token. Refresh tokens older than 90 days or already-used refresh tokens are invalid — both indicate a leak and you should ask the user to reconnect.
Reference clients​
Any of these will work without modification:
@modelcontextprotocol/inspector— official MCP debuggermcp-remote— proxies a remote MCP server through stdio- Anthropic's MCP Python SDK (
mcp.client.streamable_http) - Anthropic's MCP TypeScript SDK (
StreamableHTTPClientTransport)
Example with mcp-remote (for legacy stdio-only clients)​
If you have a client that only speaks stdio MCP, you can bridge it:
npx mcp-remote https://api.sharedmemory.ai/mcp
This opens a browser, completes OAuth, and proxies a local stdio connection to the remote endpoint.
Custom redirect URIs​
If you're building your own client and you don't want to register dynamically, contact us at support@sharedmemory.ai to pre-provision a client_id with your specific redirect URIs. This skips the DCR step and lets us flag your client as is_official (which can streamline consent UX for your users).
Webhooks (coming soon)​
We don't yet emit server→client MCP notifications, but the GET /mcp SSE endpoint is wired up. When we add real-time hooks (memory created, conflict detected, etc.), it'll work transparently for any client that keeps the stream open.