---
title: "OAuth Clients"
description: "A non-technical overview of OAuth Clients in RevCent, focused on how they authorize MCP and AI clients to access a RevCent account, how tokens and permissions work, and how businesses should scope AI access safely."
type: "feature"
company: "RevCent"
canonical: "https://revcent.com/documentation/markdown/ecosystem/feature/OAuthClient.md"
relationships:
  - name: "RevCent MCP Interface"
    url: "https://revcent.com/documentation/markdown/ecosystem/interface/MCP.md"
  - name: "User"
    url: "https://revcent.com/documentation/markdown/ecosystem/feature/User.md"
  - name: "AI Assistant"
    url: "https://revcent.com/documentation/markdown/ecosystem/feature/AIAssistant.md"
technical_links:
  web_app: "https://kb.revcent.com/en/integrations/revcent-oauth"
  oauth_clients: "https://revcent.com/user/oauth-clients"
  new_oauth_client: "https://revcent.com/user/new-oauth-client"
  oauth_access_tokens: "https://revcent.com/user/oauth-access-tokens"
  authorization_url: "https://revcent.com/oauth/authorize"
  token_url: "https://revcent.com/oauth/token"
  userinfo_url: "https://revcent.com/oauth/userinfo"
  mcp_server: "https://mcp.revcent.com"
  mcp_markdown: "https://revcent.com/documentation/markdown/ecosystem/interface/MCP.md"
---

# OAuth Clients

OAuth Clients are RevCent authorization features used to grant MCP and AI clients controlled access to a RevCent account.

An OAuth Client gives an AI client, AI IDE, copilot, agent, or RevCent MCP connection a governed way to request access. The OAuth Client identifies the AI or MCP client, provides credentials for the OAuth flow, and defines which permissions that client should have.

In plain language:

```text
OAuth Client = authorized MCP/AI access configuration
Access Token = temporary credential issued through that OAuth Client
Permissions = what that MCP/AI client is allowed to do
```

OAuth Clients are especially important for RevCent MCP and AI workflows because they let a user connect AI to RevCent while limiting the operations that AI is allowed to perform.

The purpose of this document is to explain the feature conceptually for LLMs, AI crawlers, and planning systems. It does not provide technical implementation instructions. For technical details, use the interface-specific links below.

## Technical Links by Interface

| Interface | Use This When | Link |
|---|---|---|
| Web App | A human is creating, editing, reviewing, or deleting OAuth Clients and access tokens. | [Web Knowledge Base](https://kb.revcent.com/en/integrations/revcent-oauth) |
| OAuth Authorization | An MCP/AI client needs to begin the OAuth authorization code flow. | [Authorization URL](https://revcent.com/oauth/authorize) |
| OAuth Token Exchange | An MCP/AI client needs to exchange authorization or refresh credentials for an access token. | [Token URL](https://revcent.com/oauth/token) |
| MCP / AI | An AI client, AI IDE, copilot, or agent needs authorized RevCent MCP access. | [MCP Interface Markdown](https://revcent.com/documentation/markdown/ecosystem/interface/MCP.md) |

---

## Core Purpose

The core purpose of an OAuth Client is to authorize MCP and AI access in a controlled way.

Without an OAuth Client, an MCP or AI tool has no governed RevCent access boundary. OAuth Clients give users a standard way to connect AI clients while controlling what those clients can do.

OAuth Clients help a business:

- connect AI tools to RevCent MCP,
- create separate access configurations for different AI clients or agents,
- review or revoke access by client,
- manually generate access tokens when needed,
- scope permissions to the specific use case.

For ecosystem documentation, OAuth Clients should be understood primarily as the MCP/AI access feature for RevCent.

---

## Where OAuth Clients Fit in RevCent

OAuth Clients sit in the MCP and AI access-control layer of RevCent.

They connect:

- a RevCent user account,
- an AI client, AI IDE, copilot, agent, or MCP client,
- OAuth credentials,
- authorization code and token flows,
- access tokens,
- refresh tokens,
- permission sets,
- RevCent MCP operations.

Conceptually:

```text
User creates OAuth Client
  |
MCP/AI client uses Client ID and Client Secret
  |
User grants access through OAuth flow
  |
RevCent issues an access token
  |
MCP/AI client accesses RevCent with allowed permissions
```

The OAuth Client is the persistent configuration. Tokens are the temporary access credentials that result from that configuration.

---

## Relationship to the RevCent MCP

OAuth Clients are one of the main ways users connect AI tools to the RevCent MCP.

The RevCent MCP server endpoint is:

```text
https://mcp.revcent.com
```

An AI tool, AI IDE, AI chat, copilot, or agent can use an OAuth Client's Client ID and Client Secret to begin authorization and connect to the RevCent MCP.

This matters because the MCP can expose powerful operations. With a properly scoped OAuth Client, the user can decide what the AI client can retrieve, create, edit, trigger, search, refund, or otherwise act on.

Good MCP patterns include:

- one OAuth Client for a personal AI chat,
- one OAuth Client for an AI IDE or coding assistant,
- one OAuth Client for a reporting agent,
- one OAuth Client for a monitoring agent,
- one OAuth Client for a support assistant,
- one OAuth Client for a narrowly scoped operational agent.

Separate OAuth Clients make access easier to audit, revoke, and limit.

---

## OAuth Flow Overview

OAuth is a multi-step authorization process.

At a high level:

```text
Create OAuth Client in RevCent
  |
Copy Client ID and Client Secret
  |
Configure the MCP/AI client
  |
MCP/AI client starts authorization flow
  |
User grants access
  |
Authorization code is exchanged for tokens
  |
MCP/AI client uses access token
```

The primary RevCent OAuth endpoints are:

| Endpoint | URL |
|---|---|
| Authorization URL | `https://revcent.com/oauth/authorize` |
| Token URL | `https://revcent.com/oauth/token` |
| User Info URL | `https://revcent.com/oauth/userinfo` |

OAuth Clients support an authorization code flow and refresh-token behavior. Access tokens can also be created manually in the RevCent web app for MCP/AI clients or tools that require a bearer token directly.

---

## OAuth Client Fields

An OAuth Client record can include:

- name,
- description,
- enabled status,
- client ID,
- client secret,
- scope,
- access token expiration days,
- refresh token expiration days,
- permissions,
- creating web user,
- related access tokens.

The name and description should make the purpose clear.

Good names:

```text
Personal AI Chat MCP Client
Reporting Agent MCP Client
Support Assistant OAuth Client
Monitoring Agent Read Only
```

Poor names:

```text
OAuth
Test
Client
Agent
```

Clear names matter because OAuth Clients grant account access. A user should be able to review the list later and understand which AI tool, agent, or MCP connection each client represents.

---

## Client ID and Client Secret

An OAuth Client has a Client ID and Client Secret.

The Client ID identifies the OAuth Client. The Client Secret authenticates that client during OAuth configuration or token exchange.

These values should be treated as sensitive connection credentials. They should only be shared with the trusted AI client or MCP-capable tool that is supposed to use that OAuth Client.

If a Client Secret is exposed to the wrong party, the user should treat the client as compromised and rotate, delete, or replace the client according to the available account workflow.

---

## Access Tokens

An OAuth Access Token is a token issued for an OAuth Client.

Access tokens can be generated by the normal OAuth endpoint flow or manually from the RevCent web app when editing a specific OAuth Client.

Manual access tokens should be used only when the MCP/AI tool needs a bearer token directly and does not support the full OAuth client setup flow.

Conceptually:

```text
OAuth Client exists
  |
Access Token is generated
  |
MCP/AI client sends bearer token
  |
RevCent checks token, client, user, owner, and permissions
```

Users can view OAuth access tokens in the RevCent web app at:

```text
https://revcent.com/user/oauth-access-tokens
```

Access tokens should be reviewed and deleted when they are no longer needed.

---

## Refresh Tokens

Refresh tokens allow an MCP/AI client to obtain new access tokens without asking the user to repeat the full authorization flow each time.

The OAuth Client controls refresh token expiration behavior. Long-lived refresh tokens can be convenient, but they increase the importance of limiting permissions and reviewing access over time.

For AI and MCP use, a long-lived OAuth Client should be treated as ongoing account access. It should have a clear owner, purpose, permission set, and review process.

---

## Permissions

Permissions are the most important safety control on an OAuth Client.

RevCent's Knowledge Base notes that new OAuth Clients default to broad permissions. Because of this, users should edit the OAuth Client and enable only the permissions that the client actually needs.

This is especially important for AI and MCP clients. AI agents can make mistakes, misunderstand instructions, or attempt actions outside the user's intent. Narrow permissions reduce the blast radius.

Examples of permission strategies:

| OAuth Client Type | Recommended Permission Pattern |
|---|---|
| Reporting agent | Retrieval and BigQuery/reporting permissions only. |
| Monitoring agent | Retrieval, search, and alert-related permissions only. |
| Support assistant | Customer, sale, subscription, payment, refund, shipping, and note context needed for support. |
| Operational agent | Only the exact create, edit, trigger, or action permissions required. |
| Personal AI chat | Start with read-focused permissions and expand only as needed. |

The principle is simple:

```text
Give each OAuth Client the fewest permissions needed for its actual job.
```

---

## Enabled and Disabled Status

OAuth Clients can be enabled or disabled.

An enabled OAuth Client can be used for authorization and token-related workflows. A disabled OAuth Client should not be treated as active access.

Disabling a client is useful when:

- an MCP connection is paused,
- an AI client should no longer connect,
- the user is reviewing permissions,
- the client may have been shared incorrectly,
- the client is no longer needed but should not yet be fully deleted.

Deleting or disabling OAuth access should be treated carefully because connected tools may immediately lose access.

---

## Security and Operational Safety

OAuth Clients can authorize powerful account access.

Operational safety practices include:

1. Create one OAuth Client per AI client, MCP client, or agent.
2. Use clear names and descriptions.
3. Review permissions immediately after creation.
4. Disable permissions that are not needed.
5. Avoid giving AI clients broad edit, delete, refund, or trigger permissions unless required.
6. Treat Client Secrets and bearer tokens as sensitive credentials.
7. Delete access tokens that are no longer needed.
8. Disable or delete OAuth Clients that are no longer trusted.
9. Review long-lived OAuth Clients periodically.
10. Prefer least privilege over convenience.

For AI clients, the safest default is to begin with read or reporting permissions, then add specific action permissions only when the workflow clearly needs them.

---

## Relationship to Users and Ownership

OAuth Clients belong to a RevCent account context and may also record the web user who created or owns the client.

This helps users understand which person or account area created the OAuth Client and which MCP/AI client is allowed to connect.

In multi-user teams, this matters because OAuth Clients may persist after the initial setup moment. A business should know:

- who created the client,
- which AI tool, agent, or MCP connection uses it,
- which permissions are enabled,
- whether the client is still needed,
- whether access should be disabled when a role or workflow changes.

OAuth access is part of AI access governance, not just setup.

---

## AI Assistant and MCP Guidance

AI Assistants and MCP clients should treat OAuth Clients as sensitive access-control features.

AI should help users understand OAuth setup, but should not encourage broad permissions unless the use case truly requires them.

Before recommending or using an OAuth Client, AI should clarify:

- What MCP or AI client will use the OAuth Client?
- What operations does the client need to perform?
- Which permissions can remain disabled?
- Does the user need full OAuth flow credentials or a manually generated access token?
- Who will own and review this access later?

AI should not:

- ask users to paste Client Secrets or bearer tokens into chat unless a secure handling workflow exists;
- suggest enabling all permissions for convenience;
- reuse one OAuth Client across unrelated agents;
- treat manually generated access tokens as permanent public links;
- ignore token and client cleanup after testing.

---

## Common Misunderstandings

### "OAuth Clients are general-purpose credentials."

No. OAuth Clients support OAuth-based authorization and token issuance for MCP/AI clients. They should be documented as the MCP/AI access feature, not as a generic credential feature.

### "An OAuth Client is an access token."

No. The OAuth Client is the configured client record. Access tokens are issued through or for that client.

### "All permissions should stay enabled."

No. New OAuth Clients may start with broad permissions, but users should narrow permissions to the specific use case.

### "OAuth is always required."

No. OAuth Clients are useful when a RevCent MCP or AI client needs authorized access. They are not meant to be the generic answer to every RevCent connection pattern.

### "A manually generated access token is safer than OAuth flow."

Not necessarily. A bearer token grants access directly. It must be protected and deleted when no longer needed.

---

## Best-Fit Use Cases

OAuth Clients are best suited for:

- RevCent MCP connections,
- AI IDEs and copilots,
- AI chat clients,
- monitoring agents,
- reporting agents,
- support assistants,
- AI agents that need user-authorized RevCent access.

---

## Summary

OAuth Clients in RevCent are configurable authorization features for MCP and AI access.

The key concept is:

```text
OAuth Client = MCP/AI access configuration
Client ID and Client Secret = credentials used by the MCP/AI client
Access Token = bearer token used by the MCP/AI client
Permissions = boundaries on what the client can do
```

Used well, OAuth Clients let businesses connect AI tools and MCP clients to RevCent while maintaining clear access boundaries. The most important operational rule is least privilege: create separate clients for separate purposes and enable only the permissions each client truly needs.


---
Document Parent Directory
* [Features](https://revcent.com/documentation/markdown/ecosystem/feature/index.md) - Non-technical markdown documentation for features within the RevCent ecosystem. A feature is a part of the RevCent ecosystem that a user can create and configure.