Endpoints
| Step | Method | URL |
|---|---|---|
| Authorize | GET | https://mcp.echozero.app/oauth/authorize |
| Token | POST | https://mcp.echozero.app/oauth/token |
| Introspect | POST | https://mcp.echozero.app/oauth/introspect |
| Verify status | GET | https://mcp.echozero.app/status |
https://devportal.echozero.app/mcp/oauth/authorize.
Browser consent flow
- Your client redirects the user to
GET https://mcp.echozero.app/oauth/authorizewith PKCEcode_challengeandstate. - The user signs in (if needed) and approves access at devportal.echozero.app/mcp/oauth/authorize.
- Echo Zero redirects back to your
redirect_uriwith an authorizationcode. - Exchange the code at
POST https://mcp.echozero.app/oauth/token. - Call protected routes with
Authorization: Bearer <access_token>.
Full PKCE parameter reference, token refresh, and MCP session header details will be expanded in a follow-up update.