Authentication
Promptsy uses OAuth 2.1 to securely authenticate MCP connections. This ensures your prompts stay private and you control which AI assistants can access your vault.
How It Works
┌──────────────┐ 1. Request auth ┌──────────────┐
│ AI Assistant │───────────────────────▶│ MCP Server │
└──────────────┘ └──────────────┘
│
│ 2. Redirect
▼
┌──────────────┐
│ Promptsy │
│ Consent │
└──────────────┘
│
│ 3. Approve
▼
┌──────────────┐ 4. Access token ┌──────────────┐
│ AI Assistant │◀──────────────────────│ MCP Server │
└──────────────┘ └──────────────┘
- Request: AI assistant asks to use Promptsy tools
- Redirect: You're sent to Promptsy to authorize
- Approve: You review and approve the permissions
- Token: The assistant receives an access token
Scopes
When authorizing, you'll see these permission scopes:
| Scope | Permission | Required For |
|---|---|---|
prompts:read | View your prompts and collections | browse_prompts |
prompts:write | Create and save prompts | save_prompt |
account:read | View your tier and credits | Credit balance display |
Recommended
For full functionality, grant all three scopes. You can revoke access anytime.
Minimal Access
If you only want to browse:
- Grant only
prompts:read save_promptwill not work
Token Lifecycle
Access Token
- Duration: 1 hour
- Refresh: Automatic via refresh token
- Storage: Stored securely by the AI assistant
Refresh Token
- Duration: 30 days
- Purpose: Get new access tokens without re-authorizing
- Rotation: New refresh token issued with each use
Token Expiration
When a token expires:
- The MCP server returns a
TOKEN_EXPIREDerror - The AI assistant uses the refresh token
- A new access token is issued
- The request is retried automatically
If the refresh token is also expired, you'll need to re-authorize.
Consent Screen
The consent screen shows:
- App Name: The AI assistant requesting access
- Scopes: What permissions are requested
- Your Account: Which Promptsy account is being authorized
Approve
Click Approve to grant access. The AI assistant can now use the requested tools.
Deny
Click Deny to reject the request. No access is granted.
Managing Connections
View Connected Apps
- Go to promptsy.dev/settings
- Scroll to Connected Apps
- See all AI assistants with access
Revoke Access
To disconnect an AI assistant:
- Go to Connected Apps
- Find the app to revoke
- Click Revoke Access
The assistant will immediately lose access. You can re-authorize later if needed.
Security Best Practices
Review Before Approving
Always check:
- The app name matches what you expect
- The scopes are appropriate
- You're logged into the correct Promptsy account
Revoke Unused Connections
Periodically review connected apps and revoke any you no longer use.
Use Trusted Clients
Only authorize AI assistants from trusted sources. The MCP protocol is powerful—only connect to apps you trust.
OAuth 2.1 Details
For developers building MCP clients:
Endpoints
| Endpoint | URL |
|---|---|
| Authorization | https://mcp.promptsy.dev/authorize |
| Token | https://mcp.promptsy.dev/oauth/token |
Grant Type
- Authorization Code (with PKCE recommended)
Token Response
{
"access_token": "eyJhbGc...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "dGhpcyBpcyBh...",
"scope": "prompts:read prompts:write account:read"
}
Using the Token
Include in the Authorization header:
Authorization: Bearer eyJhbGc...
Troubleshooting
"Authorization Failed"
- Clear cookies and try again
- Make sure you're logged into Promptsy
- Check for popup blockers
"Invalid Token"
- The token may have expired
- Wait for automatic refresh, or
- Re-authorize the connection
"Insufficient Scope"
The tool requires a scope you didn't grant:
- Revoke the existing connection
- Re-authorize with the required scope