BlogDevelopersOAuth 2.1 for AI Agents — How Storylayer Handles Claude.ai and ChatGPT Connectors
Developers

OAuth 2.1 for AI Agents — How Storylayer Handles Claude.ai and ChatGPT Connectors

Hosted MCP clients like Claude.ai and ChatGPT use OAuth 2.1 with Dynamic Client Registration to connect to Storylayer — no API key paste required.

Storylayer Team··6 min read
OAuth 2.1 for AI Agents — How Storylayer Handles Claude.ai and ChatGPT Connectors

Pasting API keys into AI chat interfaces is fragile and insecure. Storylayer supports OAuth 2.1 with Dynamic Client Registration (DCR) so hosted MCP clients like Claude.ai and ChatGPT can connect through a proper consent flow — the same pattern enterprise SaaS uses for third-party integrations.

Two auth paths, one MCP server

| Client type | Examples | Auth method | |---|---|---| | Hosted | Claude.ai, ChatGPT custom GPTs | OAuth 2.1 + PKCE (automatic) | | Local | Claude Desktop, Cursor, MCP Inspector | Bearer sl_pat_... token |

Both hit the same endpoint: https://app.storylayer.ai/api/mcp

How hosted discovery works

  1. You paste https://app.storylayer.ai/api/mcp into Claude.ai or ChatGPT
  2. The client fetches /.well-known/oauth-protected-resource (RFC 9728)
  3. It discovers our authorization server at /.well-known/oauth-authorization-server (RFC 8414)
  4. It registers itself via POST /oauth/register (RFC 7591)
  5. You're redirected to Storylayer's consent screen at /oauth/authorize
  6. You approve scopes; the client receives an OAuth access token (sl_oat_...)

No token paste. Revoke anytime at Dashboard → Developers → Authorized apps.

Scopes

Tokens are scope-locked. Common scopes:

  • stories:read / stories:write / stories:publish
  • media:read / media:write
  • connections:read
  • webhooks:read / webhooks:write

The consent screen shows exactly what the client requested.

Discovery documents

Agents and registries can find our auth configuration automatically:

https://app.storylayer.ai/.well-known/oauth-protected-resource
https://app.storylayer.ai/.well-known/oauth-authorization-server
https://app.storylayer.ai/.well-known/ai-catalog.json

Local clients still use PATs

Claude Desktop and Cursor can't run a browser OAuth flow inline, so they use Personal Access Tokens (sl_pat_...) generated in Dashboard → Developers.

Pin mcp-remote@0.1.17 and put the bearer token in an env var — see MCP docs for the exact config snippet.

Security properties

  • Tokens are scoped — a client can only do what you authorized
  • OAuth tokens rotate; PATs can be revoked instantly
  • MCP calls are logged in Dashboard → Developers → Request log
  • Publishing still respects queue/approval settings — OAuth doesn't bypass your workflow rules

Full OAuth reference: storylayer.ai/docs/oauth

Start automating today

14-day Pro trial. No credit card required.

Start free trial