MCP Authentication
Configure OAuth authentication for the Seal MCP server
MCP Authentication
The Seal MCP server uses Clerk OAuth 2.0 for secure authentication. This guide walks you through configuring OAuth access for AI assistants.
Authentication Flow
- Authorization Request: MCP client redirects to Clerk authorization page
- User Consent: You authorize access and select organization
- Authorization Code: Clerk returns authorization code to MCP client
- Token Exchange: MCP client exchanges code for access token
- API Access: MCP client uses access token for all API requests
Claude Desktop Setup
Add Seal to your Claude Desktop configuration file:
macOS
Edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"seal": {
"url": "https://mcp.seal.nyc",
"auth": {
"type": "oauth",
"authorizationUrl": "https://mcp.seal.nyc/.well-known/oauth-authorization-server"
}
}
}
}Windows
Edit %APPDATA%\Claude\claude_desktop_config.json:
{
"mcpServers": {
"seal": {
"url": "https://mcp.seal.nyc",
"auth": {
"type": "oauth",
"authorizationUrl": "https://mcp.seal.nyc/.well-known/oauth-authorization-server"
}
}
}
}Linux
Edit ~/.config/Claude/claude_desktop_config.json:
{
"mcpServers": {
"seal": {
"url": "https://mcp.seal.nyc",
"auth": {
"type": "oauth",
"authorizationUrl": "https://mcp.seal.nyc/.well-known/oauth-authorization-server"
}
}
}
}First-Time Authorization
- Restart Claude Desktop after updating configuration
- Trigger MCP: Ask Claude to interact with Seal (e.g., "List my documents")
- Authorize: Claude opens browser for authorization
- Sign In: Sign in to your Seal account if not already signed in
- Select Organization: Choose which organization to connect
- Grant Access: Click "Authorize" to grant Claude access
- Return to Claude: Browser redirects back to Claude Desktop
Organization Selection: You can only connect one organization at a time. To switch organizations, revoke access and re-authorize.
OAuth Scopes
The MCP server requests full API access with all scopes:
seal:documents:read- Read documentsseal:documents:write- Create, update, delete documentsseal:templates:read- Read templatesseal:templates:write- Create, update, delete templatesseal:recipients:read- Read recipientsseal:recipients:write- Manage recipientsseal:signatures:read- Read signatures and audit trails
Token Management
Token Storage
OAuth tokens are stored securely by the MCP client (Claude Desktop):
- macOS: Keychain
- Windows: Credential Manager
- Linux: Secret Service API
Token Refresh
Access tokens expire after 1 hour. The MCP client automatically refreshes tokens using the refresh token.
Token Revocation
Revoke MCP access from your Clerk dashboard:
- Go to Clerk Dashboard
- Navigate to Sessions
- Find the MCP session
- Click Revoke
OAuth Endpoints
Authorization Server Metadata
GET https://mcp.seal.nyc/.well-known/oauth-authorization-serverReturns OAuth 2.0 server metadata including:
- Authorization endpoint
- Token endpoint
- Supported grant types
- Supported scopes
Protected Resource Metadata
GET https://mcp.seal.nyc/.well-known/oauth-protected-resource/mcpReturns protected resource metadata including:
- Resource server identifier
- Required scopes
- Token introspection endpoint
Security Considerations
What MCP Can Access
With your authorization, the MCP server can:
- ✓ Read all documents in your selected organization
- ✓ Create, update, and delete documents
- ✓ Manage recipients and send documents
- ✓ Access templates and signatures
- ✓ View audit trails
What MCP Cannot Access
The MCP server cannot:
- ✗ Access other organizations you belong to
- ✗ Change organization settings
- ✗ Manage billing or subscriptions
- ✗ Access your Clerk account settings
- ✗ Impersonate you in the web application
Best Practices
- Review Permissions: Understand what access you're granting
- Monitor Activity: Check audit trails for MCP actions
- Revoke When Done: Revoke access if you stop using MCP
- Use Separate Org: Consider using a separate organization for testing
- Report Issues: Report suspicious activity immediately
Troubleshooting
Authorization Fails
Problem: Browser doesn't open or authorization fails
Solutions:
- Check Claude Desktop configuration syntax
- Ensure you're signed in to Seal
- Try restarting Claude Desktop
- Check browser console for errors
Token Expired
Problem: "Token expired" error after some time
Solution: MCP client should auto-refresh. If it doesn't:
- Revoke access from Clerk dashboard
- Re-authorize in Claude Desktop
Wrong Organization
Problem: MCP is connected to wrong organization
Solution:
- Revoke access from Clerk dashboard
- Re-authorize and select correct organization
Permission Denied
Problem: "Permission denied" errors for certain actions
Solution:
- Check your role in the organization
- Ensure you have required permissions
- Contact organization admin if needed
API Key Fallback
For stdio mode (local development), you can use API keys instead of OAuth:
{
"mcpServers": {
"seal": {
"command": "node",
"args": ["/path/to/mcp-server/dist/index.js"],
"env": {
"SEAL_API_KEY": "ak_your_api_key_here"
}
}
}
}Development Only: API key authentication is only supported in stdio mode for local development. Production MCP servers must use OAuth.
Next Steps
- MCP Tools - Complete tool reference
- API Reference - Underlying REST API
- Authentication Guide - API key authentication
Last updated on