What happens when you connect
Registration and consent
The host registers itself via DCR; your browser opens to
https://complyhat.ai/oauth/consent. Sign in, pick an organization, approve.Scopes
Hosts request the OIDC standard set:openid email. That is the only set the authorization server (Supabase Auth OAuth Server) issues today, and it is what /.well-known/oauth-protected-resource advertises:
organization_id from their token’s sub claim and filters all data reads and writes through that org context. The same boundary the web dashboard uses applies to MCP , there is no second authorization layer to configure.
If you’ve seen older docs referencing fine-grained scopes like wiki:write or models:read, those were planned for a future Custom Access Token Hook and are not currently issued by Supabase OAuth Server. They will reappear here only if and when that hook is enabled.
When auth fails
A request without a valid bearer token returns401 Unauthorized with a WWW-Authenticate header per RFC 6750:
resource_metadata, run discovery, and re-authenticate without further intervention.