OAuth 2.1
Nico implements an OAuth 2.1 authorization server for third-party applications and MCP server connections.
Overview
OAuth 2.1 allows external applications to access your Nico account with your permission, without sharing your password. This is how AI assistants connect to the MCP server.
Discovery
Nico publishes an OAuth metadata document following RFC 8414:
GET /.well-known/oauth-authorization-server
Authorization flow
Nico uses the authorization code grant type:
Endpoints
| Endpoint | Method | Description |
|---|
/oauth/authorize | POST | Authorization endpoint — redirect users here |
/oauth/token | POST | Token endpoint — exchange code for access token |
/.well-known/oauth-authorization-server | GET | OAuth metadata discovery |
Scopes
| Scope | Description |
|---|
mcp | Access the MCP server tools |
The MCP server requires the mcp scope. Without it, MCP tool calls will be rejected.
Managing grants
You can view and revoke OAuth grants in your account:
- View active grants: See which applications have access to your account
- Revoke a grant: Remove an application’s access immediately
API endpoints for grant management
| Endpoint | Method | Description |
|---|
/api/oauth_grants | GET | List your active OAuth grants |
/api/oauth_grants/:id | DELETE | Revoke a specific grant |
For MCP connections
If you’re connecting an AI assistant via MCP, the assistant handles the OAuth flow for you. You’ll see a consent screen asking you to approve access — click Authorize to connect.
The resulting token is stored by the MCP client (e.g., Claude Desktop) and used automatically for future requests.
