Generic MCP client
Any MCP-capable agent — Cursor, the MCP Inspector, and others — connects to Estratos by pointing at the raw MCP endpoint. There's no plugin to install; the OAuth flow is auto-discovered from the endpoint itself.
Point your client at the endpoint
Give your client the MCP endpoint URL:
https://estratos.ai/mcp
Copy the exact endpoint for your deployment from the Generic MCP card on Connect › Configure agents.
Authorize on first use
When your client first calls the endpoint, the OAuth consent opens in your browser. Pick the workspace to connect and click Allow. Everything before that consent screen is automatic — you don't configure a client ID, secret, or discovery URL by hand.
What you get
Generic clients get the tools only — no bundled skills. They rely on the server's built-in tool descriptions, which are written to tell an assistant how to name titles, treat paths as scopes, and use each tool correctly.
How the automatic OAuth flow works
A compliant MCP client completes this handshake on its own, but here's what happens under the hood:
- Challenge. The client calls
POST /mcpwithout a token. Estratos replies401 Unauthorizedwith aWWW-Authenticate: Bearerheader that carries aresource_metadatapointer (RFC 6750). - Discovery. The client follows that pointer to the Protected Resource Metadata (RFC 9728), which names the authorization server; it then reads the Authorization Server Metadata (RFC 8414) for the authorize, token, and registration endpoints.
- Registration. If it has no client credentials yet, the client registers itself via Dynamic Client Registration (RFC 7591) at
POST /oauth/register. No human has to create an app first. - Consent with PKCE. The client sends you to
/oauth/authorizewith a PKCEcode_challenge(S256, mandatory) and aresourceindicator equal to the canonical MCP URL (RFC 8707, required). You pick your workspace and approve. - Token. The client exchanges the authorization code (with its PKCE verifier) at
/oauth/tokenfor an access token bound to your workspace and to the MCP resource.
From then on the client sends the token as Authorization: Bearer … on every call. Access tokens expire after two hours and refresh automatically; you don't re-approve unless a token is revoked or your refresh token lapses.
If it doesn't connect
See troubleshooting for reconnecting, token expiry, and testing your connection. For the full protocol contract — every endpoint, the scopes table, and the six tools — see the MCP server reference.