The Trustgrid MCP server requires authentication for every request. There are two ways to provide credentials.
OAuth 2.0#
The server implements OAuth 2.0 with the MCP authorization spec. Clients that support the OAuth handshake — including Claude Desktop and Claude Code — will automatically open a browser-based login when you first connect. After you authorize, the client manages token refresh without further intervention.
No manual token setup is required for OAuth-capable clients. Just point the client at the MCP URL.
The OAuth authorization server metadata is available at:
https://mcp.<domain>.trustgrid.io/.well-known/oauth-authorization-server
API token#
An API token is a clientId:clientSecret pair tied to your Trustgrid user account. It carries the same permissions as your portal account.
Generate a token:
- Log into the Trustgrid portal
- Navigate to User Management → API Access
- Click Generate API keys
Use the token:
Pass the token as an HTTP Authorization header using the trustgrid-token scheme:
Authorization: trustgrid-token YOUR_CLIENT_ID:YOUR_CLIENT_SECRET
In most MCP client configs, this goes in a headers block alongside the server URL.
Auth error handling#
| Response | Meaning | Fix |
|---|---|---|
401 Unauthorized |
Missing or malformed Authorization header |
Check that the header is present and correctly formatted |
401 with WWW-Authenticate header |
Server is requesting OAuth | Your client should initiate the OAuth flow; if it doesn't, provide a static token instead |
403 Forbidden |
Token is valid but lacks required scope | The credential doesn't have permission for the requested operation — check API key permissions or generate a new key |
If you see a WWW-Authenticate challenge with a resource_metadata URL and your client doesn't handle OAuth, you need to provide a static API token or JWT directly in the config header.