Authentication¶
Scout MCP uses OAuth 2.0 Client Credentials as its primary authentication method, with a legacy API-key header also supported for backwards compatibility.
OAuth 2.0 (recommended)¶
Discovery¶
Scout publishes an RFC 8414 authorization server metadata document:
Response:
{
"issuer": "https://mcp.primerfp.com",
"token_endpoint": "https://mcp.primerfp.com/oauth/token",
"grant_types_supported": ["client_credentials"],
"token_endpoint_auth_methods_supported": ["client_secret_post", "none"],
"scopes_supported": ["mcp"],
"service_documentation": "https://docs.primerfp.com/mcp",
"support_email": "mcp-support@primerfp.com"
}
Automatic Token Acquisition¶
MCP clients that implement OAuth 2.0 natively follow this sequence on startup — no manual token exchange or embedded header required:
① Client → GET /.well-known/oauth-authorization-server (discovery)
② Server → { "token_endpoint": "…/oauth/token", … }
③ Client → POST /oauth/token
grant_type=client_credentials&client_secret=prfp_…
④ Server → { "access_token": "prfp_…", "token_type": "bearer", … }
⑤ Client → GET /mcp (Authorization: Bearer prfp_…) ← all subsequent calls
Clients that support automatic OAuth token acquisition¶
VS Code (GitHub Copilot) — v1.99+¶
VS Code Copilot can perform the token claim automatically when you omit the
headers block and provide the server URL only:
On first connect Copilot reads the discovery document, POSTs to /oauth/token
with the client_secret you enter when prompted, and caches the Bearer token.
To pre-configure the secret without an interactive prompt, use an
input variable:
{
"servers": {
"scout": {
"type": "http",
"url": "https://mcp.primerfp.com/mcp",
"gallery": false
}
},
"inputs": [
{
"id": "scout_secret",
"type": "promptString",
"description": "PrimeRFP API key (starts with prfp_)",
"password": true
}
]
}
Claude Desktop (mcp-remote OAuth mode)¶
mcp-remote 0.1.x+ supports OAuth discovery when you omit --header. On first
run it opens a browser window (or prints a URL) for authorisation, then stores
the returned token in its local cache (~/.mcp-auth/).
Because Scout uses client_credentials (M2M, no browser redirect needed), pass
--no-auth to skip the browser dance and let mcp-remote rely solely on the
discovery-returned token:
{
"mcpServers": {
"scout": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://mcp.primerfp.com/mcp",
"--transport",
"http-only"
],
"env": {
"MCP_REMOTE_CLIENT_SECRET": "prfp_YOUR_KEY_HERE"
}
}
}
}
If your version of mcp-remote doesn't read MCP_REMOTE_CLIENT_SECRET, fall
back to the explicit --header form shown in the Getting Started guide.
Cursor (native OAuth — 0.47+)¶
Cursor's built-in HTTP transport performs discovery automatically when no
headers key is present:
Cursor will prompt for your API key the first time, exchange it for a Bearer token, and re-use that token for the session.
Manual token exchange¶
If your client doesn't support automatic OAuth acquisition, exchange your API key for a Bearer token yourself and embed it in the config.
Step 1 — Obtain a Bearer token¶
Your API key (prfp_…) acts as the client_secret:
curl -X POST https://mcp.primerfp.com/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_secret=prfp_YOUR_KEY_HERE"
Response:
{
"access_token": "prfp_YOUR_KEY_HERE",
"token_type": "bearer",
"expires_in": 86400,
"scope": "mcp"
}
Token lifetime
Tokens are valid for 24 hours (expires_in: 86400). Re-exchange your API key
when it expires — the underlying key stays active until you revoke it.
Step 2 — Use the Bearer token¶
Send the access_token in the Authorization header on all MCP requests:
Claude Desktop¶
{
"mcpServers": {
"scout": {
"command": "npx",
"args": [
"-y",
"mcp-remote",
"https://mcp.primerfp.com/mcp",
"--header",
"Authorization: Bearer prfp_YOUR_KEY_HERE",
"--transport",
"http-only"
]
}
}
}
Cursor / Windsurf / VS Code¶
{
"mcpServers": {
"scout": {
"url": "https://mcp.primerfp.com/mcp",
"headers": {
"Authorization": "Bearer prfp_YOUR_KEY_HERE"
}
}
}
}
Legacy API Key header¶
The X-PrimeRFP-Key header is fully supported for backwards compatibility.
It is functionally equivalent to OAuth Bearer — same key, same validation path.
Note
Both methods resolve to the same underlying API key and enforce the same per-tier rate limits. OAuth Bearer is the recommended method for new integrations and is required for MCP directory certification.
Obtaining an API key¶
- Sign in at scout.primerfp.com
- Go to Account Settings → API Keys
- Click New Key, give it a label, click Create Key
- Copy the key immediately — it is shown only once and starts with
prfp_
Warning
Keys are never stored in plaintext and cannot be recovered. If you lose a key, revoke it and create a new one.
Error responses¶
| HTTP Status | error field |
Meaning |
|---|---|---|
401 |
authentication_failed |
Key missing, invalid, or revoked; or web-only Free / expired MCP Trial (MCP requires MCP Trial, Explorer, or Tactics+) |
401 |
invalid_client |
Bad key on /oauth/token |
403 |
monthly_limit_reached |
Monthly call quota exceeded (where enforced) |
| (tool result) | daily_search_limit |
search_opportunities returns this when the per-UTC-day search cap is reached (10 on MCP Trial, 50 on MCP Explorer; higher tiers use monthly budgets) |
429 |
rate_limit_exceeded |
Per-minute rate limit hit |
400 |
unsupported_grant_type |
Only client_credentials is supported |
Marketplace review and partner access¶
Directory or partner review is handled out of band. Email mcp-support@primerfp.com for credentials, setup help, or a time‑boxed API key. Login details and keys are not published in this documentation.
Security¶
- All requests must use HTTPS —
http://is not accepted - API keys are stored as SHA-256 hashes; the plaintext key is never retained
- Keys can be revoked instantly from Settings → API Keys
- Each key is scoped to a single user account and cannot be shared across accounts
Support¶
Email: mcp-support@primerfp.com
Response time: 1 business day (Monday–Friday, 9am–5pm ET).