MCP Authentication & Security
How Koji MCP authenticates with OAuth 2.1 and PKCE. Covers the authorization flow, token lifecycle, security model, data privacy, and how to revoke access.
Authentication Overview
Koji MCP uses OAuth 2.1 with PKCE (Proof Key for Code Exchange) — the most secure standard for authorizing AI assistants. This is the same security model used by GitHub, Google, and other enterprise platforms.
There are no API keys to manage, no secrets in config files, and no credentials stored on your machine.
How the OAuth Flow Works
When you connect Koji to Claude (or any MCP client), here is what happens:
1. Discovery
The MCP client reads Koji's OAuth configuration from a well-known endpoint:
https://www.koji.so/.well-known/oauth-authorization-server
This tells the client where to send authorization requests, how to exchange tokens, and which security features are supported.
2. Dynamic Client Registration
The client registers itself automatically via RFC 7591:
POST https://www.koji.so/oauth/register
This creates a unique client_id for the connection. No manual registration needed.
3. Authorization Request
The client generates a PKCE code verifier and challenge, then opens your browser:
https://www.koji.so/oauth/authorize?
response_type=code
&client_id=...
&code_challenge=...
&code_challenge_method=S256
&redirect_uri=...
&scope=read:studies read:interviews read:account
4. User Consent
You see a consent screen on koji.so showing:
- Which application is requesting access
- What permissions (scopes) it is requesting
- Option to approve or deny
5. Token Exchange
After you approve, the client exchanges the authorization code for tokens:
- Access token — Valid for 1 hour, used for API requests
- Refresh token — Valid for 30 days, used to get new access tokens
6. Automatic Refresh
When the access token expires, the client automatically uses the refresh token to get a new pair. This happens transparently — you do not need to re-authorize.
Token Lifecycle
| Token Type | Lifetime | Purpose |
|---|---|---|
| Authorization Code | 10 minutes | One-time code exchanged for tokens |
| Access Token | 1 hour | Authenticates MCP requests |
| Refresh Token | 30 days | Generates new access tokens |
- Token rotation: Each refresh generates a new refresh token. The old one is invalidated.
- Revocation: Revoking any token invalidates the entire token pair.
- One-time use: Authorization codes can only be used once.
Security Model
What Koji MCP Can Access
| Data | Access Level |
|---|---|
| Your studies | Full read/write (owned studies only) |
| Your interviews | Full read (owned studies only) |
| Your transcripts | Full read (owned studies only) |
| Your account info | Read-only (plan, usage, features) |
| Your reports | Full read/write (owned studies only) |
| Study configuration | Full read/write (branding, lead forms, settings) |
| Other users' data | Never accessible |
| Billing/payment info | Never accessible |
| Password/credentials | Never accessible |
What Koji MCP Cannot Do
- Access other users' studies or data
- Read your password or authentication credentials
- Make payments or change your billing
- Access data from studies you do not own
- Share your data with other users
- Modify your account security settings
Data Privacy
- No training data: Your research data is never used to train AI models
- Scoped access: MCP only sees your studies, interviews, and account data
- Server-side validation: Every request is validated against your user ID on the server
- Anti-injection protection: All data returned from MCP includes integrity warnings to prevent prompt injection attacks
Revoking Access
You can disconnect Koji from Claude at any time:
From Koji
- Go to Koji Account Settings
- Find Connected Applications
- Click Revoke next to the connection
From Claude Desktop
- Open Settings then Integrations
- Find Koji
- Click Disconnect
Both methods immediately invalidate all tokens. You can reconnect at any time.
Technical Reference
OAuth Endpoints
| Endpoint | URL |
|---|---|
| Authorization Server Metadata | https://www.koji.so/.well-known/oauth-authorization-server |
| Protected Resource Metadata | https://www.koji.so/.well-known/oauth-protected-resource |
| Authorization | https://www.koji.so/oauth/authorize |
| Token | https://www.koji.so/oauth/token |
| Revocation | https://www.koji.so/oauth/revoke |
| Dynamic Registration | https://www.koji.so/oauth/register |
Supported Standards
- OAuth 2.1
- PKCE (RFC 7636)
- Authorization Server Discovery (RFC 8414)
- Dynamic Client Registration (RFC 7591)
- Token Revocation (RFC 7009)
MCP Transport
- Protocol: Streamable HTTP (Server-Sent Events)
- Endpoint:
https://www.koji.so/api/mcp/sse - Authentication: Bearer token in Authorization header
Related Documentation
- MCP Setup Guide — Connect Koji to Claude step by step
- MCP Overview — Full integration overview
- Tool Reference — All 15 MCP tools documented
- API Authentication — REST API authentication (separate from MCP)
Related Articles
API Authentication
Learn how to authenticate with the Koji API using API keys and Bearer tokens.
Koji MCP Integration Overview
Connect Koji to Claude, Cursor, and other AI assistants using the Model Context Protocol (MCP). Manage your entire research workflow conversationally — create studies, run interviews, analyze data, and generate reports without leaving your AI assistant.
Connect Koji to Claude (Setup Guide)
Step-by-step guide to connect your Koji account to Claude Desktop, Claude.ai, Cursor, and other MCP clients. Takes under 2 minutes with OAuth — no API keys required.
Connect Koji to Cursor: MCP Setup Guide for Product Engineers
Wire the Koji MCP server into Cursor so the editor can pull live customer interview insights, themes, and quality scores while you ship features. Five-minute setup, fifteen tools.
MCP Tool Reference
Complete reference for all 17 Koji MCP tools. Includes parameters, return data, plan requirements, and example prompts for each tool across read, create, analyze, customize, and distribute categories.
MCP Workflow Guide for Product Managers
End-to-end guide for product managers using Koji MCP with Claude to automate customer discovery, validate hypotheses, and generate stakeholder-ready research reports — all from a single conversation.