Authentication
Wire supports two authentication methods for MCP clients:
- OAuth 2.1 - Recommended for individual users and agents running on your computer
- API Keys - Recommended for headless agents and server-side automation
Using OAuth
Section titled “Using OAuth”Most MCP clients handle OAuth automatically. When you first connect, your browser will open to:
- Sign in to Wire (if not already authenticated)
- Review the requested permissions
- Approve access
After approval, the client stores your credentials and you won’t need to sign in again until the token expires.
Using API Keys
Section titled “Using API Keys”API keys can be passed to your MCP client via the x-api-key header or Authorization: Bearer header.
OAuth Technical Details
Section titled “OAuth Technical Details”This section is for developers building MCP clients.
Wire’s OAuth implementation conforms to OAuth 2.1 and the MCP Authorization specification. Key requirements:
- PKCE is mandatory (no client secrets)
- Uses authorization code flow only
- Follows RFC 8707 for resource indicators
Discovery
Section titled “Discovery”Fetch the OAuth configuration:
GET https://YOUR_ORG_SLUG.mcp.usewire.io/.well-known/oauth-authorization-serverAuthorization Request
Section titled “Authorization Request”GET /oauth/authorize? response_type=code& client_id=mcp-client& redirect_uri=...& scope=containers:read& code_challenge=...& code_challenge_method=S256Token Exchange
Section titled “Token Exchange”POST /oauth/tokenContent-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=...&redirect_uri=...&code_verifier=...Security
Section titled “Security”- PKCE required - All OAuth flows must use Proof Key for Code Exchange (S256)
- JWT tokens - Access tokens are signed with EdDSA and contain user ID, email, name, session ID, and an audience claim scoped to the container
- Token lifetime - Access tokens expire after 7 days; refresh tokens last 90 days