[{"data":1,"prerenderedAt":444},["ShallowReactive",2],{"docs-\u002Fdocs\u002Fmcp\u002Fauthentication":3,"docs-navigation":358,"docs-surround-\u002Fdocs\u002Fmcp\u002Fauthentication":441},{"id":4,"title":5,"body":6,"description":349,"extension":350,"icon":351,"meta":352,"navigation":353,"path":354,"seo":355,"stem":356,"__hash__":357},"docs\u002Fdocs\u002F2.mcp\u002F3.authentication.md","Authentication",{"type":7,"value":8,"toc":338},"minimark",[9,13,22,27,55,64,68,86,93,97,100,161,164,168,187,224,233,237,272,275,279,301,305],[10,11,5],"h1",{"id":12},"authentication",[14,15,16,17,21],"p",{},"The Hostsmith MCP server authenticates exclusively via ",[18,19,20],"strong",{},"OAuth 2.0",". There are no static API tokens, and you never paste a secret into your client config.",[23,24,26],"h2",{"id":25},"why-oauth-only","Why OAuth-only",[28,29,30,37,43,49],"ul",{},[31,32,33,36],"li",{},[18,34,35],{},"Per-user consent."," The user explicitly approves the scopes the agent gets - no shared admin keys.",[31,38,39,42],{},[18,40,41],{},"Short-lived credentials."," Access tokens last 1 hour; the client refreshes silently.",[31,44,45,48],{},[18,46,47],{},"Revocable."," You can disconnect from your Hostsmith account at any time without rotating any other credential.",[31,50,51,54],{},[18,52,53],{},"No leakage in logs."," Bearer tokens never appear in MCP config files, repo history, or terminal output.",[14,56,57,58,63],{},"If you need a non-interactive integration (CI, backend service), use the ",[59,60,62],"a",{"href":61},"\u002Fdocs\u002Fdevelopers\u002Fauthentication","REST API"," directly with OAuth-issued tokens. The MCP server is designed for agent + human-in-the-loop flows.",[23,65,67],{"id":66},"what-happens-on-first-use","What happens on first use",[69,70,71,74,77,80,83],"ol",{},[31,72,73],{},"Your MCP client connects to the Hostsmith server (stdio, remote URL, or local HTTP).",[31,75,76],{},"On the first tool call, the server redirects your browser to Hostsmith.",[31,78,79],{},"You sign in, review the requested scopes, and approve.",[31,81,82],{},"The server stores a short-lived access token plus a refresh token in your client's local credential store.",[31,84,85],{},"Subsequent tool calls use the cached token. The client refreshes silently when it expires.",[14,87,88,89,92],{},"The OAuth flow itself is the same Authorization Code + PKCE flow used by the REST API - the ",[59,90,91],{"href":61},"Developers › Authentication"," page documents it in detail.",[23,94,96],{"id":95},"scopes","Scopes",[14,98,99],{},"The MCP server requests the scopes it needs to expose its full tool surface:",[101,102,103,116],"table",{},[104,105,106],"thead",{},[107,108,109,113],"tr",{},[110,111,112],"th",{},"Scope",[110,114,115],{},"What it allows",[117,118,119,131,141,151],"tbody",{},[107,120,121,128],{},[122,123,124],"td",{},[125,126,127],"code",{},"sites:read",[122,129,130],{},"List and inspect sites",[107,132,133,138],{},[122,134,135],{},[125,136,137],{},"sites:write",[122,139,140],{},"Create, update, and delete sites",[107,142,143,148],{},[122,144,145],{},[125,146,147],{},"domains:read",[122,149,150],{},"List shared and custom domains",[107,152,153,158],{},[122,154,155],{},[125,156,157],{},"files:write",[122,159,160],{},"Upload and replace site files",[14,162,163],{},"You see and approve these on the consent screen. Approval is per-user, not per-machine - if you authorize once, the same Hostsmith account is reachable from every client where you connect the MCP server.",[23,165,167],{"id":166},"data-partition-selection","Data partition selection",[14,169,170,171,174,175,178,179,182,183,186],{},"Hostsmith stores user data in regional ",[18,172,173],{},"data partitions"," (",[125,176,177],{},"us",", ",[125,180,181],{},"eu","). Every MCP tool that touches partition-scoped data accepts an optional ",[125,184,185],{},"partition"," argument:",[28,188,189,195,208],{},[31,190,191,194],{},[18,192,193],{},"Omit it"," and the server uses your access token's home partition (set when you first signed up).",[31,196,197,207],{},[18,198,199,200,203,204],{},"Pass ",[125,201,202],{},"partition: \"us\""," or ",[125,205,206],{},"partition: \"eu\""," to target a specific one.",[31,209,210,211,178,214,178,217,220,221,223],{},"A few tools (",[125,212,213],{},"list_sites",[125,215,216],{},"list_domains",[125,218,219],{},"get_account",") query both partitions in parallel and merge the results when you omit ",[125,222,185],{},".",[14,225,226,228,229,232],{},[125,227,219],{}," returns your home partition under ",[125,230,231],{},"user.homePartition",", so an agent can confirm where new sites land by default.",[23,234,236],{"id":235},"revoking-access","Revoking access",[28,238,239,245,259],{},[31,240,241,244],{},[18,242,243],{},"Claude Desktop:"," Settings → Connectors → remove the Hostsmith connector.",[31,246,247,250,251,254,255,258],{},[18,248,249],{},"Stdio clients:"," delete the cached credentials at the path your client reports (typically ",[125,252,253],{},"~\u002F.config\u002F\u003Cclient>\u002F\u003Cserver>\u002Foauth.json",") and remove the ",[125,256,257],{},"hostsmith"," entry from the MCP config.",[31,260,261,264,265,271],{},[18,262,263],{},"From your Hostsmith account:"," sign in to ",[59,266,270],{"href":267,"rel":268},"https:\u002F\u002Fhostsmith.net",[269],"nofollow","hostsmith.net"," and revoke the OAuth client from your account settings. This invalidates every token issued to that client across every machine.",[14,273,274],{},"After revocation the next tool call returns 401 and your client opens the consent flow again.",[23,276,278],{"id":277},"token-rotation-and-ttls","Token rotation and TTLs",[28,280,281,287,294],{},[31,282,283,284,223],{},"Access tokens expire after ",[18,285,286],{},"1 hour",[31,288,289,290,293],{},"Refresh tokens are valid for ",[18,291,292],{},"90 days"," from the original authorization. After 90 days of inactivity, you re-authorize through the consent flow.",[31,295,296,297,300],{},"Refresh tokens ",[18,298,299],{},"rotate",": each refresh issues a new refresh token and invalidates the old one. Your MCP client handles this automatically.",[23,302,304],{"id":303},"common-issues","Common issues",[28,306,307,313,329],{},[31,308,309,312],{},[18,310,311],{},"\"Tool calls return 401.\""," The session expired. Reconnect or re-add the server in your client to re-authorize.",[31,314,315,318,319,321,322,324,325,328],{},[18,316,317],{},"\"My agent created a site in the wrong partition.\""," Pass ",[125,320,185],{}," explicitly or call ",[125,323,219],{}," first to confirm ",[125,326,327],{},"homePartition"," before creating.",[31,330,331,334,335,337],{},[18,332,333],{},"\"I want to switch the home partition.\""," Home partition is set at sign-up and is not user-changeable today. Pass ",[125,336,185],{}," per-call instead.",{"title":339,"searchDepth":340,"depth":340,"links":341},"",2,[342,343,344,345,346,347,348],{"id":25,"depth":340,"text":26},{"id":66,"depth":340,"text":67},{"id":95,"depth":340,"text":96},{"id":166,"depth":340,"text":167},{"id":235,"depth":340,"text":236},{"id":277,"depth":340,"text":278},{"id":303,"depth":340,"text":304},"How the Hostsmith MCP server authenticates - OAuth 2.0, scopes, data partitions, and revocation.","md","solar:lock-keyhole-bold",{},null,"\u002Fdocs\u002Fmcp\u002Fauthentication",{"title":5,"description":349},"docs\u002F2.mcp\u002F3.authentication","HLW2S2AwspqV4AkqWSYLJOV9HaTgAoGsZnoQPR_jDcI",[359],{"title":360,"path":361,"stem":362,"children":363,"page":440},"Docs","\u002Fdocs","docs",[364,391,423],{"title":365,"path":366,"stem":367,"children":368,"page":-1,"icon":370},"Getting Started","\u002Fdocs\u002Fgetting-started","docs\u002F1.getting-started\u002Findex",[369,371,375,379,383,387],{"title":365,"path":366,"stem":367,"icon":370},"solar:rocket-bold",{"title":372,"path":373,"stem":374},"Introduction","\u002Fdocs\u002Fgetting-started\u002Fintroduction","docs\u002F1.getting-started\u002F1.introduction",{"title":376,"path":377,"stem":378},"Quick Start","\u002Fdocs\u002Fgetting-started\u002Fquick-start","docs\u002F1.getting-started\u002F2.quick-start",{"title":380,"path":381,"stem":382},"Sites","\u002Fdocs\u002Fgetting-started\u002Fsites","docs\u002F1.getting-started\u002F3.sites",{"title":384,"path":385,"stem":386},"Custom Domains","\u002Fdocs\u002Fgetting-started\u002Fcustom-domains","docs\u002F1.getting-started\u002F4.custom-domains",{"title":388,"path":389,"stem":390},"Support","\u002Fdocs\u002Fgetting-started\u002Fsupport","docs\u002F1.getting-started\u002F5.support",{"title":392,"path":393,"stem":394,"children":395,"page":-1,"icon":397},"MCP","\u002Fdocs\u002Fmcp","docs\u002F2.mcp\u002Findex",[396,398,402,406,407,411,415,419],{"title":392,"path":393,"stem":394,"icon":397},"solar:plug-circle-bold",{"title":399,"path":400,"stem":401},"Quick start","\u002Fdocs\u002Fmcp\u002Fquick-start","docs\u002F2.mcp\u002F1.quick-start",{"title":403,"path":404,"stem":405},"Clients","\u002Fdocs\u002Fmcp\u002Fclients","docs\u002F2.mcp\u002F2.clients",{"title":5,"path":354,"stem":356},{"title":408,"path":409,"stem":410},"Tools","\u002Fdocs\u002Fmcp\u002Ftools","docs\u002F2.mcp\u002F4.tools",{"title":412,"path":413,"stem":414},"Recipes","\u002Fdocs\u002Fmcp\u002Frecipes","docs\u002F2.mcp\u002F5.recipes",{"title":416,"path":417,"stem":418},"Limits and errors","\u002Fdocs\u002Fmcp\u002Flimits-and-errors","docs\u002F2.mcp\u002F6.limits-and-errors",{"title":420,"path":421,"stem":422},"FAQ","\u002Fdocs\u002Fmcp\u002Ffaq","docs\u002F2.mcp\u002F7.faq",{"title":424,"path":425,"stem":426,"children":427,"page":-1,"icon":429},"Developers","\u002Fdocs\u002Fdevelopers","docs\u002F3.developers\u002Findex",[428,430,432,436],{"title":424,"path":425,"stem":426,"icon":429},"solar:code-bold",{"title":5,"path":61,"stem":431},"docs\u002F3.developers\u002F1.authentication",{"title":433,"path":434,"stem":435},"API Explorer","\u002Fdocs\u002Fdevelopers\u002Fapi-explorer","docs\u002F3.developers\u002F2.api-explorer",{"title":437,"path":438,"stem":439},"Node.js SDK","\u002Fdocs\u002Fdevelopers\u002Fsdk","docs\u002F3.developers\u002F3.sdk",false,[442,443],{"title":403,"path":404,"stem":405,"children":-1},{"title":408,"path":409,"stem":410,"children":-1},1778091982003]