Configure OAuth2 client credentials for MCP servers with GitHat. Domain verification, client ID/secret generation, and token exchange workflow.
The client_credentials flow is designed for server-to-server auth without user interaction. GitHat implements this standard for MCP servers with 5-minute token TTL.
Domain verification prevents impersonation. Only the domain owner can add the required DNS TXT record. Once verified, the MCP server can request tokens at any time.
Short-lived tokens (5-min TTL) minimize security risk. If a token leaks, it expires quickly. Your client credentials are the long-lived secret — keep them secure.
curl -X POST https://api.githat.io/mcp/token// Token refresh loop for MCP server
let token = null;
let tokenExpiry = 0;
async function getToken() {
if (Date.now() < tokenExpiry - 60000) return token; // 1 min buffer
const resp = await fetch('https://api.githat.io/mcp/token', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
client_id: process.env.MCP_CLIENT_ID,
client_secret: process.env.MCP_CLIENT_SECRET,
grant_type: 'client_credentials'
})
});
const data = await resp.json();
token = data.access_token;
tokenExpiry = Date.now() + 5 * 60 * 1000;
return token;
}Ship authenticated apps in minutes, not weeks.