> ## Documentation Index
> Fetch the complete documentation index at: https://docs.echozero.app/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth 2.1

> Authorization code + PKCE for AI assistant and CLI clients.

Echo Zero supports OAuth 2.1 authorization code with PKCE for clients that cannot safely store long-lived API keys (Claude connectors, ChatGPT apps, local CLIs).

## Endpoints

| Step          | Method | URL                                         |
| ------------- | ------ | ------------------------------------------- |
| Authorize     | `GET`  | `https://mcp.echozero.app/oauth/authorize`  |
| Token         | `POST` | `https://mcp.echozero.app/oauth/token`      |
| Introspect    | `POST` | `https://mcp.echozero.app/oauth/introspect` |
| Verify status | `GET`  | `https://mcp.echozero.app/status`           |

User consent is handled in the Dev Portal at `https://devportal.echozero.app/mcp/oauth/authorize`.

## Browser consent flow

1. Your client redirects the user to `GET https://mcp.echozero.app/oauth/authorize` with PKCE `code_challenge` and `state`.
2. The user signs in (if needed) and approves access at [devportal.echozero.app/mcp/oauth/authorize](https://devportal.echozero.app/mcp/oauth/authorize).
3. Echo Zero redirects back to your `redirect_uri` with an authorization `code`.
4. Exchange the code at `POST https://mcp.echozero.app/oauth/token`.
5. Call protected routes with `Authorization: Bearer <access_token>`.

<Note>
  Full PKCE parameter reference, token refresh, and MCP session header details will be expanded in a follow-up update.
</Note>
