§ MCP · Controlled beta
Official OAuth-protected MCP
The Nuvouch MCP is the hosted path for OAuth-capable agent clients. The client registers with Nuvouch, completes authorization with PKCE, pairs a hosted runtime through the user's trusted mobile device, then calls /mcp with an OAuth bearer token.
§ MCP · Discovery
Discover OAuth and MCP metadata
GET/.well-known/oauth-authorization-server
GET/.well-known/oauth-protected-resource/mcp
GET/mcp
discovery.sh
curlcurl "https://api.nuvouch.com/.well-known/oauth-authorization-server"
curl "https://api.nuvouch.com/.well-known/oauth-protected-resource/mcp"
curl "https://api.nuvouch.com/mcp"| Field | Type | Description |
|---|---|---|
| authorization_endpoint | url | OAuth authorization endpoint. Currently /oauth/authorize. |
| token_endpoint | url | OAuth token endpoint. Currently /oauth/token. |
| registration_endpoint | url | Dynamic client registration endpoint. Currently /oauth/register. |
| resource | url | Protected MCP resource URL. Currently /mcp. |
| scopes_supported | array | Controlled-beta scopes include identity and delegation. |
§ MCP · Registration
Register an OAuth client
POST/oauth/register
register-client.sh
dynamic registrationcurl -X POST "https://api.nuvouch.com/oauth/register" \
-H "content-type: application/json" \
-d '{
"client_name": "Acme Agent Client",
"redirect_uris": ["https://agent.example.com/oauth/callback"],
"provider_id": "generic",
"scope": "identity delegation",
"token_endpoint_auth_method": "none"
}'§ MCP · Tokens
Exchange, refresh, and revoke tokens
POST/oauth/token
exchange-token.sh
authorization_codecurl -X POST "https://api.nuvouch.com/oauth/token" \
-H "content-type: application/x-www-form-urlencoded" \
--data-urlencode "grant_type=authorization_code" \
--data-urlencode "client_id=nvr_client_123" \
--data-urlencode "redirect_uri=https://agent.example.com/oauth/callback" \
--data-urlencode "code=nvr_code_123" \
--data-urlencode "code_verifier=ORIGINAL_PKCE_VERIFIER"refresh-token.sh
refresh_tokencurl -X POST "https://api.nuvouch.com/oauth/token" \
-H "content-type: application/x-www-form-urlencoded" \
--data-urlencode "grant_type=refresh_token" \
--data-urlencode "client_id=nvr_client_123" \
--data-urlencode "refresh_token=nvr_refresh_123"POST/oauth/revoke
revoke-token.sh
curl -X POST "https://api.nuvouch.com/oauth/revoke" \
-H "content-type: application/json" \
-d '{ "token": "nvr_access_or_refresh_token", "client_id": "nvr_client_123" }'§ MCP · Tools
Call identity and delegation tools
POST/mcp
tools-list.json
JSON-RPC{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/list"
}| Field | Type | Description |
|---|---|---|
| identity_get | tool | Returns pairwise Nuvouch identity for the authenticated OAuth runtime. |
| delegation_request | tool | Creates a scoped delegation request and waits for approval by default. |
| delegation_status | tool | Checks or waits for an existing delegation and returns a token when approved. |
| delegation_revoke | tool | Revokes an active or pending delegation for the OAuth runtime. |
Request delegation
delegation-request.json
tools/call{
"jsonrpc": "2.0",
"id": 2,
"method": "tools/call",
"params": {
"name": "delegation_request",
"arguments": {
"audienceId": "aud_test_payments",
"purpose": "Identify the user before preparing a payment approval.",
"scopes": ["payments.identity", "payments.prepare"],
"waitForApproval": true
}
}
}