Documentation

Authentication

How WhatWins secures MCP access with OAuth 2.1, PKCE and organization-scoped static keys.

WhatWins supports two authentication modes. OAuth is recommended for graphical apps; static keys are available for CLI and raw HTTP clients.

OAuth 2.1

The remote server implements Authorization Code with PKCE (S256), dynamic client registration, refresh tokens and explicit consent for the whatwins:read scope.

Authorization server metadata
https://whatwins.io/.well-known/oauth-authorization-server

Protected resource metadata
https://whatwins.io/.well-known/oauth-protected-resource

The flow is:

  1. The client discovers the protected resource and authorization server.
  2. The client registers itself dynamically.
  3. WhatWins asks the signed-in user to select one eligible organization.
  4. The user grants read access.
  5. The client exchanges the authorization code using its PKCE verifier.

The OAuth access token identifies the user and selected organization. WhatWins re-checks membership, role and plan eligibility on every request, so revoked workspace access takes effect without waiting for the connector to be removed.

Static MCP keys

Create static keys from Organization settings → WhatWins AI → MCP access → Claude Code.

Authorization: Bearer ww_mcp_your_token

Keys are:

  • scoped to one organization;
  • displayed only when created;
  • stored by WhatWins as a SHA-256 hash;
  • expiring and immediately revocable;
  • suitable only for secure local configuration or server-side secret storage.

Never put a key in public code

Do not commit a ww_mcp_ key, paste it into support messages or expose it in browser JavaScript. Revoke and replace a key immediately if it leaks.

Authorization boundaries

Authentication does not bypass product access. Every MCP call is still bounded by the selected organization, the caller's current membership, their role, plan eligibility, rate limits and available WhatWins AI data credits.

Raw tracked-store IDs are accepted only when the connected organization tracks those stores. Global discovery tools return only indexed, bounded results.

Revoking access

For OAuth, remove the connector in Claude or ChatGPT and revoke its authorization from your WhatWins settings when available. For a static key, select Revoke beside the key. A revoked key stops authenticating immediately.