When to use
Use Portkey’s OAuth when:- Building browser-based applications where users authenticate interactively
- Using MCP clients like Claude Desktop or Cursor without API keys
- User-level attribution without managing API keys
- Quick setup without configuring an external IdP
How it works
Configuration
Portkey’s OAuth is enabled by default. No configuration required. When a request arrives without an API key or bearer token, Portkey automatically initiates the OAuth flow.Client integration
Browser applications
For browser-based apps, redirect users to the authorization endpoint:MCP clients
MCP clients like Claude Desktop and Cursor handle OAuth automatically. Configuring a server URL without an API key triggers the OAuth flow when needed.Token management
Portkey handles token lifecycle:- Access tokens: Short-lived, used for MCP requests
- Refresh tokens: Long-lived, used to obtain new access tokens
- Automatic refresh: Tokens refreshed transparently before expiration
Scopes
Combining with external OAuth
Portkey’s OAuth works alongside external OAuth. Portkey determines the authentication method based on what’s in the request:Security considerations
- OAuth 2.1 with PKCE prevents authorization code interception
- Tokens are scoped to specific workspaces
- Refresh tokens can be revoked instantly
- All token operations are logged

