MCP Connect (OAuth 2.1)

One-click **Connect** for MCP clients (Cursor, Claude Desktop): instead of pasting an X-API-Key, the client runs the OAuth 2.1 authorization-code + PKCE flow against FinRadar's own login and gets a short-lived token. Discovery follows RFC 9728 (protected-resource) + RFC 8414 (authorization-server); the resource is `/api/mcp`. Both auth methods work side-by-side (dual auth) — existing X-API-Key clients are unaffected. Select FinRadar's MCP server in your client and click Connect to use it.

• GETGET method/.well-known/oauth-protected-resource/api/mcpMCP resource-server metadata (RFC 9728) — served by the MCP server
• GETGET method/.well-known/oauth-authorization-serverAuthorization-server metadata (RFC 8414)
• GETGET method/.well-known/jwks.jsonAS public signing keys (JWKS)
• POSTPOST method/oauth/registerDynamic Client Registration (RFC 7591) — how a client obtains a client_id
• GETGET method/oauth/authorizeAuthorize — server-rendered login + consent (GET shows the page, POST submits)
• POSTPOST method/oauth/tokenToken — exchange code (+PKCE verifier) for an access token, or refresh
• POSTPOST method/oauth/revokeRevoke a refresh token (RFC 7009) — 'Disconnect'