NIN Connect Docs
Platform (Self-Host)MCP

MCP Integration

Use MCP servers as plugin tool sources with realtime discovery, PKCE OAuth, public-server support, and layered credential management.

Overview

NIN Connect can use Model Context Protocol servers as a plugin tool source instead of relying only on manually defined REST tools.

That gives you three plugin modes:

toolSourceBehavior
manualOnly hand-authored tools
mcpOnly tools discovered from the MCP server
bothManual and MCP tools together

For mcp plugins, the hosted connect page now hides manual auth methods and only shows the MCP connection flow.

What Changed

Realtime MCP discovery

When getTools() runs for a connected user, NIN tries to fetch the latest MCP tools live from the provider first, then falls back to mcpToolCache if the live call is unavailable.

Better OAuth discovery

NIN now supports multiple discovery patterns used by real MCP servers:

  1. RFC 9470 protected resource metadata
  2. RFC 8414 authorization server metadata
  3. Path-aware RFC 8414 metadata for issuers like GitHub
  4. 401 WWW-Authenticate challenge discovery
  5. Public MCP servers with no auth at all

That means servers like GitHub and Crypto.com can now be discovered correctly even though they do not behave like simple .well-known examples.

Multi-level MCP credentials

MCP client credentials now resolve through this chain:

  1. End-user override
  2. Developer override
  3. Admin default plugin credentials

This lets each developer decide whether users can bring their own client ID and secret, while still supporting plugin-level defaults.

Hosted connect page improvements

The hosted connect page now:

  • Shows only the connection methods allowed by toolSource
  • Supports optional end-user MCP client credentials when allowed
  • Shows the callback URL users must register with their provider

Connection Model

For MCP-enabled plugins, a single connectedAccounts record can hold:

  • REST credentials for manual tools
  • MCP access and refresh tokens for MCP tools
  • Optional end-user MCP client ID and secret used for refresh

This is what makes toolSource: "both" work without mixing up the two auth systems.

Dashboard Model

Admin plugins page

Admins can:

  • Set toolSource to manual, mcp, or both
  • Discover MCP server auth details from a server URL
  • Configure manual client credentials when auto-registration is unavailable
  • Use public MCP servers with authType: "none"

Developer My Plugins page

Developers can:

  • Enable or disable plugins from their own catalog
  • Override MCP client credentials per plugin
  • Enable or disable end-user credential overrides
  • Search plugins and bulk-disable all plugins

Connections page

Connections are grouped by user and can fetch tools per connection, showing whether tools came from MCP or manual definitions.

Public MCP servers

Some MCP servers do not require OAuth. For example, a public server may respond to MCP requests directly and never expose OAuth metadata.

In that case NIN stores:

  • authType: "none"
  • no OAuth metadata
  • no client ID or client secret

The dashboard labels these as public MCP servers and hides OAuth-only inputs.

Next Pages

On this page