ComplyHat authenticates every request with OAuth 2.1. You never create an OAuth app or manage client credentials by hand — your MCP host registers itself automatically using Dynamic Client Registration (RFC 7591), and you only see the consent screen where you sign in and approve access.Documentation Index
Fetch the complete documentation index at: https://docs.complyhat.ai/llms.txt
Use this file to discover all available pages before exploring further.
How the flow works
When you make your first ComplyHat tool call, your host runs through this sequence before returning results:Your host discovers the authorization server
The host fetches
https://complyhat.ai/.well-known/oauth-protected-resource (RFC 9728) to learn which authorization server protects ComplyHat and which scopes it accepts.Your host fetches authorization server metadata
The discovery document points to Supabase Auth. Your host fetches
/.well-known/oauth-authorization-server on the Supabase domain to find the registration, authorization, and token endpoints.Your host registers itself
The host POSTs to the registration endpoint and receives a
client_id. This is Dynamic Client Registration — there is no portal where you create an OAuth app by hand. Each MCP host registers itself the first time.You complete the consent screen
Your host opens a browser to
https://complyhat.ai/oauth/consent. You sign in if you haven’t already, select your organization, and approve the requested scopes. This is the only step that requires your attention.Your host exchanges the code and calls ComplyHat
The host exchanges the authorization code for a bearer access token, then calls
https://complyhat.ai/api/mcp with Authorization: Bearer <token>. ComplyHat verifies the token’s signature, issuer, audience, and client_id on every request. Subsequent calls reuse the same token until it expires, at which point the host refreshes it silently.Supported scopes
ComplyHat advertises the following scopes in its Protected Resource Metadata document. Your host requests the subset it needs; ComplyHat enforces the scope on every tool call.| Scope | What it grants |
|---|---|
mcp | Catch-all scope required by some hosts that don’t parse fine-grained scopes. |
models:read | List and inspect registered models. |
models:write | Register and update models. |
bias-test:read | List bias tests, schedules, and results. |
bias-test:write | Run bias tests and create schedules. |
drift:read | Read drift monitors, snapshots, and alerts. |
drift:write | Create monitors and submit snapshots. |
adversarial:read | List and inspect adversarial findings. |
adversarial:write | Submit adversarial findings. |
explainability:read | List explainability runs and read results. |
explainability:write | Trigger explainability runs. |
audit:read | Read the audit event log. |
audit:write | Emit audit events. |
kg:read | Read the per-tenant compliance wiki. |
kg:write | Write to the per-tenant compliance wiki. |
frameworks:read | Read framework status, gaps, and obligations. |
What a 401 error looks like
If a request to/api/mcp is missing a bearer token or carries an invalid one, ComplyHat returns 401 Unauthorized with a WWW-Authenticate header per RFC 6750:
resource_metadata URL, re-discover the authorization server, and re-run the flow above without any action from you.