Connect an agent over OAuth
Radar Cloud’s MCP endpoint is an OAuth 2.1 resource server. An MCP-aware agent that supports OAuth points at the endpoint, gets challenged, and runs a standard sign-in instead of needing a token pasted in:- The endpoint advertises its protected-resource metadata (RFC 9728) and returns a
WWW-Authenticatechallenge on an unauthenticated/mcprequest, so compliant clients discover where to authenticate on their own. - Tokens are minted by Radar Cloud’s identity provider (WorkOS) or, on self-hosted, your own OIDC IdP.
- On first sign-in the agent’s user and org membership are provisioned just in time - no pre-invite step.
Manage grants
Each agent that signs in shows up as a connected app. From Settings → Tokens you can see your connected apps and revoke any grant, cutting that agent off immediately.Org-wide MCP access mode
Independent of how an agent authenticates, every org has one switch that decides whether AI agents may change anything: Settings → Tokens → MCP access mode.| Mode | Effect |
|---|---|
| Read-write (default) | Agents can use the full tool surface, including mutating actions. |
| Read-only | Agents can inspect, never mutate. |
- On the MCP endpoint, write tools are dropped from
tools/listand refused attools/callwith a tool-error the agent can surface. - On the cluster proxy, the same credential can otherwise reach Radar’s REST and WebSocket API directly, so mutating HTTP methods and exec / attach / port-forward sessions are refused with a
403.
The mode keys on the credential AI agents use - PATs and OAuth grants. Browser (cookie) sessions are never gated by it, so an owner who sets read-only can still operate clusters through the UI.
Auditing
MCP activity lands in the audit log: each tool call is recorded as an audit event, alongside grant create / revoke, so you can answer which agent did what, where, and when.See also
- Personal access tokens - the bearer-credential path for agents and CI.
- AI via MCP - what the MCP server exposes and why.
- Audit log - the record of agent and member activity.