Install in a hosted client (OAuth)
Connect ChatGPT and other hosted MCP clients via OAuth instead of a local API key.
Hosted MCP clients (ChatGPT, Claude's web/mobile apps) can't run a local Node process, so they hit SaaSFlow over HTTPS and authenticate with OAuth bearer tokens. The server is the same; only the transport and auth differ.
MCP endpoint
SaaSFlow's hosted MCP endpoint is mounted at:
https://api.saasflow.com/mcpIssued OAuth tokens for this endpoint have audience https://api.saasflow.com/mcp.
Add it to a hosted client
The exact UI varies by client, but the inputs are:
| Field | Value |
|---|---|
| Server URL | https://api.saasflow.com/mcp |
| Auth | OAuth 2.1 (Authorization Code + PKCE) |
| Authorization endpoint | https://api.saasflow.com/auth/oauth2/authorize |
| Token endpoint | https://api.saasflow.com/auth/oauth2/token |
| Resource | https://api.saasflow.com/mcp |
| Scopes | saasflow:read |
When the client connects, it redirects you to app.saasflow.com to sign in (if not
already) and approve. SaaSFlow stores the consent grant; revocation from
Settings → Company settings invalidates the token in real time.
Scopes
| Scope | Grants |
|---|---|
saasflow:read | All :read permissions, intersected with your user permissions. |
saasflow:write | Reads + :write permissions. Admin (:manage) is never granted via OAuth. |
The MCP server only registers read tools today, so saasflow:read is enough.
Tooling
You can also use the saasflow CLI to obtain
an OAuth bearer for testing:
saasflow login
# Then to print a fresh access token:
saasflow whoami --json | jq -r '.oauth.accessToken'Useful when wiring up a custom MCP client.
Revoke
Open Settings → Company settings → API keys in the SaaSFlow app — OAuth consent grants are listed alongside API keys. Revoking is immediate.