MCP Server

Authentication

How OBI's MCP server authenticates users via OAuth 2.0 and Supabase.

Authentication

OBI's MCP server uses OAuth 2.0 for secure authentication, powered by Supabase.

Overview

When an MCP client (like Claude Desktop) connects to OBI, it:

Discovers auth requirements via the /manifest endpoint
Redirects you to sign in at app.heyobi.com
Receives a JWT token after successful authentication
Includes the token in all subsequent requests

Your data is protected by Row-Level Security (RLS) - you can only access properties you own or have been granted access to.

OAuth 2.0 Flow

┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐
│   MCP Client    │     │   OBI Server    │     │    Supabase     │
│ (Claude Desktop)│     │ mcp.heyobi.com  │     │   Auth Server   │
└────────┬────────┘     └────────┬────────┘     └────────┬────────┘
         │                       │                       │
         │  1. GET /manifest     │                       │
         │──────────────────────>│                       │
         │                       │                       │
         │  2. Auth URLs         │                       │
         │<──────────────────────│                       │
         │                       │                       │
         │  3. Redirect to login │                       │
         │──────────────────────────────────────────────>│
         │                       │                       │
         │  4. User signs in     │                       │
         │                       │                       │
         │  5. JWT token         │                       │
         │<──────────────────────────────────────────────│
         │                       │                       │
         │  6. API calls with    │                       │
         │     Bearer token      │                       │
         │──────────────────────>│                       │
         │                       │  7. Validate token    │
         │                       │──────────────────────>│
         │                       │                       │
         │  8. Response          │                       │
         │<──────────────────────│                       │
         │                       │                       │

OAuth Endpoints

Endpoint	URL
Authorization	`https://app.heyobi.com/oauth/authorize`
Token	`https://oktnratupvznraxkclus.supabase.co/auth/v1/token`
Scopes	`openid`, `email`, `profile`

Token Format

OBI uses Supabase JWT tokens:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Tokens contain:

User ID (for RLS policies)
Email address
Expiration time

Request Authentication

All tool calls require a valid Bearer token:

{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "list_properties",
    "arguments": {}
  }
}

With header:

Authorization: Bearer <your_jwt_token>
Content-Type: application/json

Row-Level Security

Your token determines what data you can access:

Your properties - Properties you created
Shared properties - Properties others have shared with you
Your items - Inventory in properties you can access

Attempting to access unauthorized properties returns an error:

{
  "error": "Property not found or access denied"
}

Error Responses

Missing Authentication

{
  "statusCode": 401,
  "statusMessage": "Unauthorized",
  "data": {
    "error": "Missing or invalid Authorization header"
  }
}

Expired Token

{
  "statusCode": 401,
  "statusMessage": "Unauthorized",
  "data": {
    "error": "Invalid or expired token"
  }
}

Token Refresh

MCP clients handle token refresh automatically. If your session expires:

The server returns a 401 Unauthorized response
Your client initiates a new OAuth flow
You may need to re-authenticate

For a seamless experience, keep your OBI session active at app.heyobi.com.

Security Best Practices

Never share tokens - Tokens grant access to your property data
Use HTTPS only - All requests must use https://mcp.heyobi.com
Sign out when done - End sessions on shared computers
Review access - Check which properties are shared with you

Next Steps

Configure your client - Set up Claude Desktop
Explore tools - Start using OBI

Edit this pageorReport an issue

Setup

Configure OBI's MCP server in Claude Desktop and other MCP-compatible clients.

list_properties

List all properties the authenticated user has access to in OBI.