OAuth & scopes
The Dataflow MCP server is its own OAuth 2.1 authorization server. Tokens are short-lived JWTs issued after login through Modular Finance SSO, with refresh tokens for long-running hosts. Dynamic client registration (RFC 7591) is supported, so most MCP hosts connect without any pre-configuration.
Scopes
Every tool requires one of two scopes:
| Scope | Grants |
|---|---|
dataflow:entities.search | The search tools: search_securities, search_owners. |
dataflow:ownership.read | The ownership tools: owner lists, sub-holdings, portfolios and changes. |
Your contract determines which scopes your organization can grant. The consent screen on first connect shows exactly what the host requested.
Credentials
Each connected host gets its own OAuth client (credential).
Discovery endpoints
Standard metadata for hosts and tooling:
/.well-known/oauth-protected-resource: resource metadata (RFC 9728)/.well-known/oauth-authorization-server: authorization-server metadata (RFC 8414)/.well-known/jwks.json: token verification keys
