This applies only to MCP servers (or other connectors) that an admin has wired with OAuth. For MCP servers that take a static API key in their configuration, no in-chat consent flow is shown — the agent just calls them.
What the user sees
When the agent invokes a tool that requires an OAuth connection, a connector card appears in the conversation flow:- Service name + icon (e.g. “Notion”)
- A status pill — Connection required (grey), Verifying connection… (loading), or Connected (green check)
- An optional list of Required permissions (the OAuth scopes)
- A Connect button (or Disconnect once authorized)
The flow
- The user clicks Connect. A popup window opens (600 × 700) on the OAuth provider’s consent page.
- The user signs in (if needed) and grants the requested scopes.
- The provider redirects back to a Prisme.ai callback. The popup closes.
- Chat polls the connection status. The pill flips to Verifying connection… then to a green Connected.
- The agent automatically resumes — the original tool call now succeeds.
Disconnecting
Once connected, the card shows a Disconnect button. Clicking it opens a small popup that revokes the stored token. The pill returns to Connection required, and the next tool call will trigger the consent flow again.What happens behind the scenes
The popup talks to a backend OAuth helper that handles the standard authorization-code flow with PKCE: Concretely:- Tokens are stored as user-scoped secrets in the platform — never in the browser, never visible in the workspace logs.
- Refresh tokens are used transparently when an access token expires. The user is only re-prompted if the refresh itself fails (revoked grant, scope changes, etc.).
- State / PKCE parameters guard the callback against CSRF and code-interception attacks.
Configuring an OAuth-enabled MCP server (admin)
To make a Connect button appear, an admin needs to provide the OAuth client credentials and endpoints once per service. The setup lives in the connector’s app configuration — typically theoauth-core workspace or a wrapper around it.
You’ll need to fill the following from the provider’s developer console:
Example of an OAuth-enabled connector entry:
Troubleshooting
The agent keeps asking to re-connect every conversation
The agent keeps asking to re-connect every conversation
The provider issued a short-lived access token without a refresh token (some providers gate this on a specific scope, like
offline_access). Add the missing scope to the connector config so refresh tokens are issued.A connection works for me but not my colleague
A connection works for me but not my colleague
Connections are per user. Each user must run through the consent flow on their first invocation — there’s no shared workspace token for OAuth connectors.
Related
Agent capabilities
How MCP servers fit alongside other tool types on an agent.
Custom tools
When you only need one or two endpoints, skip MCP and wire a custom tool directly.
Imports & integrations
Manage installed apps, OAuth-based imports, and credential storage.
SecureChat overview
Where Chat fits in the broader Prisme.ai ecosystem.