Auth & scopes
How OAuth works for the MCP server, scopes granted, token lifecycle, revocation.
The AdCrunch MCP server is OAuth-protected. Your AI client (Claude Desktop,
Cursor, ChatGPT, …) goes through a standard OAuth 2.1 PKCE flow with
security.adcrunch.dev and receives a short-lived bearer token plus a refresh
token.
Scopes
openid,profile,email— identifies your account.- (more scopes will be added as MCP tool granularity grows; today the bearer token grants read access to everything in your active organization.)
Token lifecycle
(todo: TTL, refresh behavior, revocation flow from the console)
Revoking access
Console → Account → Connected apps. Revoke any AI client and the next tool
call from that client returns 401.