Sign Up
Documentation

OAuth 2.1 Server

How third-party apps connect to your PingAura account. Covers the consent flow, account selection, scopes, and revocation.

PingAura is an OAuth 2.1 / OpenID Connect identity provider. Third-party apps that need to read or modify your data go through a consent flow on pingaura.ai and receive a token bound to one of your accounts.

Today this powers the MCP connector for Claude.ai. The same mechanism will power any future "Sign in with PingAura" integration without changes to your account or settings.

What you'll see when an app connects

  1. The app sends you to https://www.pingaura.ai/oauth/consent?....
  2. If you're not signed in, you go to sign-in first and are returned to the consent screen.
  3. The consent screen shows the app's name and logo, the account picker (when you belong to more than one), and the permissions the app is asking for.
  4. You choose Approve or Deny. Either way you're sent back to the app.

Account selection

If you belong to more than one PingAura account (a personal account plus one or more team accounts), the consent screen shows a picker. The token the app receives is bound to the single account you pick.

If you only belong to one account, the picker is hidden and that account is used automatically.

You cannot bind a connection to an account you're not a member of — the database rejects it.

Permissions (scopes)

Two scopes:

  • Read — list and inspect your data (domains, prompts, audits, articles, competitors). Always granted.
  • Write — modify your data (create prompts, run audits, publish articles, archive items). Optional. Apps that ask for Write show a checkbox you can uncheck.

If you uncheck Write, the issued token carries Read scope only. Any write tool the app calls returns an insufficient_scope error and the app will prompt you to reconnect with Write granted.

Revoking access

Open the connected app's settings and disconnect from PingAura. That immediately invalidates the access token and deletes the consent record on our side. Any further API calls from the app will be sent back through the consent flow.

For developers

PingAura is an OAuth 2.1 / OpenID Connect authorization server. It supports:

  • OIDC discovery (/.well-known/openid-configuration) with the standard authorization, token, and JWKS endpoints
  • Dynamic Client Registration (RFC 7591) — used by MCP clients automatically
  • PKCE with S256 challenge — required for all clients
  • RFC 9728 Protected Resource Metadata at https://www.pingaura.ai/.well-known/oauth-protected-resource

Start discovery from the authorization_servers field in our protected resource metadata. For protocol-specific details on the MCP connector — discovery URL, scope guidance, token format — see the MCP server docs.

Security notes

  • Tokens are short-lived JWTs with a per-grant aud claim. A token issued for one PingAura resource server (e.g. the MCP API) cannot be replayed against another.
  • The OAuth client name and logo shown on the consent screen come from the client's registered metadata. Verify the name and the redirect URL host before approving.
  • Consent records bind to a (user, OAuth client) pair. Re-approving the same app updates the existing grant rather than creating a duplicate.