Documentation Index

Fetch the complete documentation index at: /llms.txt

Use this file to discover all available pages before exploring further.

Skip to main content

WhatsApp Use home page

MCP

Ask Assistant

Copy page

Search...

WhatsApp Use home page

Search...

Navigation

Remote MCP

MCP OAuth

Remote MCP

MCP OAuth

Understand how OAuth grants bind MCP clients to WhatsApp connections.

MCP clients authenticate through OAuth 2.1 with PKCE. WhatsApp Use publishes protected-resource metadata for the WhatsApp MCP server.

​

Metadata

Resource	Metadata
/mcp/whatsapp	/.well-known/oauth-protected-resource/mcp/whatsapp

The authorization server metadata is available at:

/.well-known/oauth-authorization-server

​

Authorization flow

1

Discover metadata

The MCP client reads protected-resource metadata for /mcp/whatsapp.

2

Register or identify the client

Clients can use dynamic client registration at POST /oauth/register.

3

Open authorization URL

The client starts GET /oauth/authorize with PKCE and the target resource.

4

Sign in

WhatsApp Use authenticates the user and selects an allowed organization connection.

5

Exchange code

The client exchanges the authorization code at POST /oauth/token.

6

Use access token

The client calls /mcp/whatsapp with the OAuth bearer token.

​

Grant binding

Each grant binds:

• User and organization.
• MCP resource.
• Scopes.
• Client ID and client name.
• Connection ID.

​

Scopes

The WhatsApp MCP resource requires whatsapp:read for read tools. Write tools require the grant to include whatsapp:write.

Do not paste dashboard API keys into MCP clients. MCP uses OAuth tokens, and the backend rejects API-key authentication for MCP.

Install MCPMCP tools

⌘I

Assistant

Responses are generated using AI and may contain mistakes.