Authentication
How WhatWins secures MCP access with OAuth 2.1, PKCE and organization-scoped static keys.
WhatWins supports two authentication modes. OAuth is recommended for graphical apps; static keys are available for CLI and raw HTTP clients.
OAuth 2.1
The remote server implements Authorization Code with PKCE (S256), dynamic client registration, refresh tokens and explicit consent for the whatwins:read scope.
Authorization server metadata
https://whatwins.io/.well-known/oauth-authorization-server
Protected resource metadata
https://whatwins.io/.well-known/oauth-protected-resourceThe flow is:
- The client discovers the protected resource and authorization server.
- The client registers itself dynamically.
- WhatWins asks the signed-in user to select one eligible organization.
- The user grants read access.
- The client exchanges the authorization code using its PKCE verifier.
The OAuth access token identifies the user and selected organization. WhatWins re-checks membership, role and plan eligibility on every request, so revoked workspace access takes effect without waiting for the connector to be removed.
Static MCP keys
Create static keys from Organization settings → WhatWins AI → MCP access → Claude Code.
Authorization: Bearer ww_mcp_your_tokenKeys are:
- scoped to one organization;
- displayed only when created;
- stored by WhatWins as a SHA-256 hash;
- expiring and immediately revocable;
- suitable only for secure local configuration or server-side secret storage.
Never put a key in public code
Do not commit a ww_mcp_ key, paste it into support messages or expose it in
browser JavaScript. Revoke and replace a key immediately if it leaks.
Authorization boundaries
Authentication does not bypass product access. Every MCP call is still bounded by the selected organization, the caller's current membership, their role, plan eligibility, rate limits and available WhatWins AI data credits.
Raw tracked-store IDs are accepted only when the connected organization tracks those stores. Global discovery tools return only indexed, bounded results.
Revoking access
For OAuth, remove the connector in Claude or ChatGPT and revoke its authorization from your WhatWins settings when available. For a static key, select Revoke beside the key. A revoked key stops authenticating immediately.