Connect And Auth
Connect MCP clients with Streamable HTTP, OAuth, workspace approval, and scopes.
Endpoint
https://www.videotok.app/api/mcp
OAuth Flow
Most MCP clients handle this automatically, but the flow is:
- Discover OAuth metadata from
/.well-known/oauth-authorization-serverand/.well-known/oauth-protected-resource/api/mcp. - Register the MCP client with
/api/mcp/oauth/register. - Redirect the user to
/api/mcp/oauth/authorizewith authorization-code PKCE (S256). - If needed, the user signs in to Videotok.
- The user chooses and approves a workspace.
- The client exchanges the returned code at
/api/mcp/oauth/token. - MCP calls use
Authorization: Bearer vt_mcp_...against/api/mcp. - Refresh tokens rotate through
grant_type=refresh_token.
Auth codes, OAuth state, and approval tokens expire after 10 minutes.
Access tokens last 7 days. Refresh tokens last 90 days.
Scopes
The default OAuth request grants generations:read generations:write.
Clients that need publishing must explicitly request social:read social:write during OAuth.
| Scope | Allows |
|---|---|
generations:read | Read workspace creation context and inspect generated assets. |
generations:write | Create generations, slideshows, faceless videos, reference inspirations, editor projects, uploads, and edits. |
social:read | List connected social accounts. |
social:write | Publish completed media to connected social accounts. |
Workspace/data read tools accept generations:read or generations:write when the data belongs to the authenticated workspace.
Write tools require generations:write.
Social publishing requires social:write and a user-authenticated MCP connection.
Limits
OAuth registration is rate-limited to 20 requests per 60 seconds.
The token endpoint is rate-limited to 60 requests per 60 seconds.
Redirect URIs must be HTTPS, except localhost or loopback HTTP redirects for local clients. Redirect URIs cannot include fragments.