GuidesAPI Reference
Log In
Guides
Start typing to search…

Authentication for MCP Use

Keeping your access token up to date locally for MCP usage.

MCP runtimes do not automatically perform OAuth handshakes (authentication), this process must be handled outside of the mcp.json file if you are using a tool with an mcp.json file, such as Cursor. As of right now, the only way to pass in an access token to utilize the execute-request tool is by either explicitly telling the agent through the chat (not recommended) or by coding the Authorization into the mcp.json file. However, both approaches will require you to have a script you can run locally to refresh your access token when needed. Below is a recommended approach at a high level for doing this.

Video Guide on High Level MCP Authentication Set Up

In the following video below, we demonstrate an example of an authentication set up which will allow you to automatically refresh your access tokens and store then in a .json file as well as within the Cursor MCP Configuration file.

Environment & Code Set Up

Below is a universal high-level set up you can alter to fit your system.

.env

In the root of your directory you should keep a .env file with your Client ID and Client Secret. This file should not be tracked by version control and will hold your application's secrets.

tokens.json

This file will be written to by the script you run. It should track the access_token, refresh_token, and any other fields from the /oauth/token endpoint response you'd like to track. Here is an example of what it might hold:

{
  "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOnsib3JnX2lkIjo0NjM2MDV9LCJkYXRhIjp7ImFwcGxpY2F0aW9uX2lkIjo1MTgyLCJwYXJ0bmVyX2lkIjoxfSwiZXhwIjoxNzcxODcwNjU5LCJqdGkiOiJhYTMzZWFjNi1kYmQ1LTRkZjctOTljYS00MmZiZTExMjc1YjUifQ.qOSbHBPbPPxO3VXvA5iaBQHk-7eIKwKG-ckttVfme",
  "refresh_token": "2myWozzUER9mw5KF8gTjrv199Ag3SgYKHQyE-gx1fsc",
  "created_at": 1771863494,
    "expires_in": 7200
}

Refresh Tokens Script

In the Hover Postman collection, within the Get or Refresh Access Token child tab inside of Authentication there is an example script which will update your chosen environments variable:

var jsonData = JSON.parse(responseBody);
pm.environment.set("access_token", jsonData.access_token);
pm.environment.set("refresh_token", jsonData.refresh_token);
pm.environment.set("token_created_at", jsonData.created_at);

This script can be used as inspiration for what will need to be a more robust script that you will want to run within your program. With the help of an AI Companion your refresh tokens script should accomplish the following:

  1. Read your Client ID and Secret from your environment (.env) file
  2. Read your refresh token from the tokens.json file
  3. Make a request to the Hover API Endpoint to refresh the access token using the refresh token
  4. Write the new access token and refresh token (and other meta data) back to the tokens.json file
  5. Optionally update your mcp.json file headers with the new access token

Including Access Token in mcp.json

In Cursor, there will be an mcp.json file which will hold the URL for the Hover MCP. More on this can be found here. Users optionally can include a header which will hold the Authorization details (your access token). Your script can optionally also update the header in this file whenever you refresh your access token. If you do not want your script to update the mcp.json file, you can manually copy-and-paste the access token.

mcp.json

{
  "mcpServers": {
    "hoverapi": {
      "url": "https://developers.hover.to/mcp",
      "headers": {
        "Authorization": "Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOnsib3JnX2lkI0NjM2MDV9LCJkYXRhIjp7ImFwcGxpY2F0aW9uX2lkIjo1MTgyLCJwYXJ0bmVyX2lkIjoxfSwiZXhwIjoxNzcxODcwNjU5LCJqdGkiOiJhYTMzZWFjNi1kYmQ1LTRkZjctOTljYS00MmZiZTExMjc1YjUifQ.qOSbHBPbPPxO3VXvA5iaBQHk-7eIKwKG-ckttVfmeo0"
      }
    }
  }
}

Updated 2 days ago