https://app.vortexiq.ai.
| Base URL | https://app.vortexiq.ai |
| MCP endpoint | POST /mcp (Streamable HTTP, JSON-RPC 2.0) |
| Register client | POST /oauth/mcp/register |
| Authorize | GET /oauth/mcp/authorize (browser) |
| Token / refresh | POST /oauth/mcp/token |
| Whoami / token check | GET /oauth/mcp/userinfo |
Discovery
Everything below is machine-discoverable — MCP clients that support discovery need nothing more than the server URL:The flow
Register a client (one time)
Dynamic Client Registration (RFC 7591) is public and self-service. Store the returned Returns
client_id — there is no secret.{"client_id":"mcp_xxx", ...}. redirect_uris must be https (localhost allowed for development). Only public clients ("token_endpoint_auth_method": "none") are accepted.Generate a PKCE verifier and challenge (per authorization)
code_verifier in memory tied to the state. S256 is mandatory — plain is rejected.Send the user to authorize
Open in a browser:The user signs in with their existing Vortex IQ (Google) login and clicks Allow. Vortex IQ redirects back to
<REDIRECT_URI>?code=<AUTH_CODE>&state=<RANDOM>. Verify state matches — the code is single-use and expires in about 5 minutes.Call the MCP endpoint
Send
Authorization: Bearer <access_token> on every request to POST https://app.vortexiq.ai/mcp. The endpoint speaks initialize, tools/list, tools/call and ping, and exposes the 30 read-only tools scoped to the signed-in user. GET and DELETE return 405 — there is no server-initiated stream.GET /oauth/mcp/userinfo works as a lightweight token health check: 200 means the token is valid, 401 means re-authenticate.Rules and gotchas
- HTTPS only.
redirect_urismust be https;localhostis allowed only in development. - PKCE S256 required. No client secret is used or accepted.
- Audience binding. Always send
resource=https://app.vortexiq.ai(RFC 8707). Tokens minted for a different audience are rejected. - On 401 the response carries
WWW-Authenticate: Bearer resource_metadata="https://app.vortexiq.ai/.well-known/oauth-protected-resource"— follow it to re-discover endpoints and re-authenticate. - Token lifetimes: access token about 1 hour, refresh token about 30 days, authorization code about 5 minutes.
- Permissions. The token acts as the signed-in user, with the same organisation and role permissions that user already has in Vortex IQ.