Generic MCP client

Any MCP-capable agent — Cursor, the MCP Inspector, and others — connects to Estratos by pointing at the raw MCP endpoint. There's no plugin to install; the OAuth flow is auto-discovered from the endpoint itself.

Point your client at the endpoint

Give your client the MCP endpoint URL:

https://estratos.ai/mcp

Copy the exact endpoint for your deployment from the Generic MCP card on Connect › Configure agents.

Authorize on first use

When your client first calls the endpoint, the OAuth consent opens in your browser. Pick the workspace to connect and click Allow. Everything before that consent screen is automatic — you don't configure a client ID, secret, or discovery URL by hand.

What you get

Generic clients get the tools only — no bundled skills. They rely on the server's built-in tool descriptions, which are written to tell an assistant how to name titles, treat paths as scopes, and use each tool correctly.

How the automatic OAuth flow works

A compliant MCP client completes this handshake on its own, but here's what happens under the hood:

  1. Challenge. The client calls POST /mcp without a token. Estratos replies 401 Unauthorized with a WWW-Authenticate: Bearer header that carries a resource_metadata pointer (RFC 6750).
  2. Discovery. The client follows that pointer to the Protected Resource Metadata (RFC 9728), which names the authorization server; it then reads the Authorization Server Metadata (RFC 8414) for the authorize, token, and registration endpoints.
  3. Registration. If it has no client credentials yet, the client registers itself via Dynamic Client Registration (RFC 7591) at POST /oauth/register. No human has to create an app first.
  4. Consent with PKCE. The client sends you to /oauth/authorize with a PKCE code_challenge (S256, mandatory) and a resource indicator equal to the canonical MCP URL (RFC 8707, required). You pick your workspace and approve.
  5. Token. The client exchanges the authorization code (with its PKCE verifier) at /oauth/token for an access token bound to your workspace and to the MCP resource.

From then on the client sends the token as Authorization: Bearer … on every call. Access tokens expire after two hours and refresh automatically; you don't re-approve unless a token is revoked or your refresh token lapses.

If it doesn't connect

See troubleshooting for reconnecting, token expiry, and testing your connection. For the full protocol contract — every endpoint, the scopes table, and the six tools — see the MCP server reference.