Stytch · Capability

Stytch Connected Apps & MCP Authorization

Treat your Stytch-secured product as an OAuth 2.0 / OIDC Authorization Server so external clients — desktop apps, AI agents, MCP servers, and third-party integrations — can request scoped, user-consented access to it. This capability composes the Connected Apps client lifecycle (create, search, update, delete clients), the OAuth Authorization endpoint flow, token issuance, IDP introspection, and the Consumer / B2B session checks that gate user consent.

Stytch Connected Apps & MCP Authorization is a Naftiko capability published by Stytch, one of 6 capabilities the APIs.io network indexes for this provider.

Can be deployed as a REST endpoint, MCP tool, or Agent Skill via Naftiko.

Tagged areas include Stytch, Connected Apps, OAuth, OIDC, and MCP.

Run with Naftiko StytchConnected AppsOAuthOIDCMCPAI AgentsAuthorizationConsumerB2B

Capability Spec

connected-apps-mcp-authorization.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Stytch Connected Apps & MCP Authorization
  description: >-
    Treat your Stytch-secured product as an OAuth 2.0 / OIDC Authorization Server so external clients —
    desktop apps, AI agents, MCP servers, and third-party integrations — can request scoped, user-consented
    access to it. This capability composes the Connected Apps client lifecycle (create, search, update,
    delete clients), the OAuth Authorization endpoint flow, token issuance, IDP introspection, and the
    Consumer / B2B session checks that gate user consent.
  tags:
    - Stytch
    - Connected Apps
    - OAuth
    - OIDC
    - MCP
    - AI Agents
    - Authorization
    - Consumer
    - B2B
  created: '2026-05-22'
  modified: '2026-05-22'
binds:
  - namespace: env
    keys:
      STYTCH_PROJECT_ID: STYTCH_PROJECT_ID
      STYTCH_SECRET: STYTCH_SECRET
capability:
  consumes:
    - type: http
      namespace: stytch-connected-apps
      baseUri: https://api.stytch.com/v1
      description: Stytch Connected Apps — register OAuth clients (including MCP server clients) under your project, issue tokens, and introspect identity.
      authentication:
        type: basic
        username: '{{STYTCH_PROJECT_ID}}'
        password: '{{STYTCH_SECRET}}'
      resources:
        - name: connected-app-create
          path: /connected_apps/clients
          description: Register a new Connected App (OAuth/OIDC client) — public or confidential — backing a desktop tool, web integration, AI agent, or MCP server.
          operations:
            - name: create-client
              method: POST
              outputRawFormat: json
              outputParameters:
                - name: client_id
                  type: string
                  value: $.connected_app.client_id
              body:
                type: json
                data:
                  client_name: '{{tools.client_name}}'
                  client_type: '{{tools.client_type}}'
                  redirect_urls:
                    - '{{tools.redirect_url}}'
        - name: connected-app-get
          path: /connected_apps/clients/{client_id}
          description: Retrieve a Connected App's configuration, scopes, and trusted metadata.
          operations:
            - name: get-client
              method: GET
              outputRawFormat: json
        - name: connected-app-update
          path: /connected_apps/clients/{client_id}
          description: Update redirect URLs, allowed scopes, or rotate client metadata.
          operations:
            - name: update-client
              method: PUT
              outputRawFormat: json
        - name: connected-app-delete
          path: /connected_apps/clients/{client_id}
          description: Revoke a Connected App / MCP server client.
          operations:
            - name: delete-client
              method: DELETE
              outputRawFormat: json
        - name: connected-app-search
          path: /connected_apps/clients/search
          description: Search all registered Connected Apps under a project — useful for auditing AI agent and MCP server clients.
          operations:
            - name: search-clients
              method: POST
              outputRawFormat: json
        - name: idp-introspect
          path: /idp/introspect
          description: Introspect a token issued by Stytch acting as an Identity Provider — used by Connected App clients and MCP servers to validate access tokens.
          operations:
            - name: introspect-token
              method: POST
              outputRawFormat: json
              body:
                type: json
                data:
                  token: '{{tools.token}}'
                  client_id: '{{tools.client_id}}'
  workflow:
    - step: register-mcp-client
      description: Register the MCP server (or AI agent) as a Connected App under your Stytch project, declaring redirect URLs and scopes.
      uses: connected-app-create
    - step: authorize-user
      description: Redirect end users to Stytch's Authorization Endpoint so they can review and consent to the agent's requested scopes.
      external: 'https://api.stytch.com/v1/public/{{STYTCH_PROJECT_ID}}/oauth2/authorize'
    - step: introspect-token
      description: When the MCP server / agent presents a Stytch-issued token, validate it server-side via IDP introspection before granting tool access.
      uses: idp-introspect
    - step: audit-clients
      description: Periodically search Connected Apps to inventory which agents, MCP servers, and integrations have active access.
      uses: connected-app-search