MCP client discovers NEUS MCP → GET /.well-known/oauth-protected-resource → GET /.well-known/oauth-authorization-server → GET /oauth/authorize (validates OAuth params; redirects to hosted login if needed) → User authenticates on neus.network (passkey, wallet, or Google/Microsoft) → Browser returns to /oauth/authorize with session; backend issues auth code → Redirect to client callback with code → POST /api/v1/auth/mcp/token (exchange code for access token) → Client uses Bearer token on MCP requests
/oauth/authorize validates OAuth parameters. Without a session it redirects to https://neus.network/verify?intent=login&returnTo=/oauth/authorize?.... After login it issues a single-use code (10-minute TTL) and redirects to redirect_uri.Token exchange and revocation are public OAuth endpoints on neus.network.
POST https://neus.network/api/v1/auth/mcp/tokenContent-Type: application/x-www-form-urlencodedgrant_type=authorization_codecode=AUTH_CODEredirect_uri=http://127.0.0.1:PORT/callbackclient_id=neus-clicode_verifier=ORIGINAL_CODE_VERIFIERresource=https://mcp.neus.network/mcp
POST https://neus.network/api/v1/auth/mcp/tokenContent-Type: application/x-www-form-urlencodedgrant_type=refresh_tokenrefresh_token=rt_...client_id=neus-cliresource=https://mcp.neus.network/mcp
Refresh tokens rotate on each use. Include offline_access in the initial scope to receive one.
OAuth access tokens are valid only when aud is https://mcp.neus.network/mcp, iss is https://neus.network, token_use is mcp_access, and the token is not expired or revoked.
POST https://neus.network/api/v1/auth/mcp/revokeContent-Type: application/x-www-form-urlencodedtoken=eyJ...token_type_hint=access_tokenclient_id=neus-cli
Revoking an access token also invalidates all associated refresh tokens.
NEUS SDK CLI (neus auth) — loopback redirect on 127.0.0.1
Hosted MCP clients (Cursor, VS Code, Claude Code, OpenAI) should use a URL-only MCP config. The host discovers OAuth metadata at /.well-known/mcp.json and runs its own DCR + PKCE + silent refresh lifecycle. Use the NEUS SDK CLI (neus setup) to generate the correct config.