MCP Integration
Use MCP servers as plugin tool sources with realtime discovery, PKCE OAuth, public-server support, and layered credential management.
Overview
NIN Connect can use Model Context Protocol servers as a plugin tool source instead of relying only on manually defined REST tools.
That gives you three plugin modes:
toolSource | Behavior |
|---|---|
manual | Only hand-authored tools |
mcp | Only tools discovered from the MCP server |
both | Manual and MCP tools together |
For mcp plugins, the hosted connect page now hides manual auth methods and only shows the MCP connection flow.
What Changed
Realtime MCP discovery
When getTools() runs for a connected user, NIN tries to fetch the latest MCP tools live from the provider first, then falls back to mcpToolCache if the live call is unavailable.
Better OAuth discovery
NIN now supports multiple discovery patterns used by real MCP servers:
- RFC 9470 protected resource metadata
- RFC 8414 authorization server metadata
- Path-aware RFC 8414 metadata for issuers like GitHub
401 WWW-Authenticatechallenge discovery- Public MCP servers with no auth at all
That means servers like GitHub and Crypto.com can now be discovered correctly even though they do not behave like simple .well-known examples.
Multi-level MCP credentials
MCP client credentials now resolve through this chain:
- End-user override
- Developer override
- Admin default plugin credentials
This lets each developer decide whether users can bring their own client ID and secret, while still supporting plugin-level defaults.
Hosted connect page improvements
The hosted connect page now:
- Shows only the connection methods allowed by
toolSource - Supports optional end-user MCP client credentials when allowed
- Shows the callback URL users must register with their provider
Connection Model
For MCP-enabled plugins, a single connectedAccounts record can hold:
- REST credentials for manual tools
- MCP access and refresh tokens for MCP tools
- Optional end-user MCP client ID and secret used for refresh
This is what makes toolSource: "both" work without mixing up the two auth systems.
Dashboard Model
Admin plugins page
Admins can:
- Set
toolSourcetomanual,mcp, orboth - Discover MCP server auth details from a server URL
- Configure manual client credentials when auto-registration is unavailable
- Use public MCP servers with
authType: "none"
Developer My Plugins page
Developers can:
- Enable or disable plugins from their own catalog
- Override MCP client credentials per plugin
- Enable or disable end-user credential overrides
- Search plugins and bulk-disable all plugins
Connections page
Connections are grouped by user and can fetch tools per connection, showing whether tools came from MCP or manual definitions.
Public MCP servers
Some MCP servers do not require OAuth. For example, a public server may respond to MCP requests directly and never expose OAuth metadata.
In that case NIN stores:
authType: "none"- no OAuth metadata
- no client ID or client secret
The dashboard labels these as public MCP servers and hides OAuth-only inputs.
Next Pages
- Building an MCP Server — For services: step-by-step guide to build a remote MCP server with OAuth 2.0/2.1, PKCE, and session management (like Notion MCP).
- Integrating your MCP client
- Security best practices
Execution Logs
Monitor tool execution history — success/error status, latency, user ID, and error messages.
Building an MCP Server
Step-by-step guide for services to build a remote MCP server with OAuth 2.1 (PKCE), session management, and Streamable HTTP or SSE transport — aligned with the official MCP authorization and security guidance.