Skip to main content

Connecting MCP Servers with OAuth Pre-Registration

MCP Manager
Updated

Introduction

Some MCP servers require you to register an application in their developer console before MCP Manager can establish a connection. This is known as OAuth pre-registration (or "OAuth via Client Pre-Registration"), and it's how services like Asana, HubSpot, and GitHub authorize third-party integrations.

When you connect one of these servers in MCP Manager, you'll need to provide a Client ID and Client Secret from the provider's developer console. You'll also need to copy a redirect URL from MCP Manager and paste it into the provider's app settings. If any of these pieces are missing, the connection will fail.

This article walks through the full process using Asana as an example, explains the general pattern that applies to all OAuth pre-registration servers, and covers common errors you might encounter.

When Does This Apply?

Not all MCP servers require pre-registration. There are three authentication patterns you'll encounter when adding a remote server in MCP Manager:

  • Standard OAuth (automatic) — Some servers, like Atlassian and Notion, support OAuth with dynamic client registration. MCP Manager handles the entire flow automatically — you just provide the server URL, and the connection completes through a browser-based authorization. No developer console work is needed.
  • OAuth with pre-registration — Servers like Asana, HubSpot, and GitHub require you to create an app in their developer portal first and bring your own Client ID and Client Secret. This article covers this scenario.
  • Token or API key — Some servers authenticate using a static API key or bearer token that you paste into MCP Manager as a custom header. No OAuth flow is involved.

If you try to add a server that requires pre-registration and select the Auto authentication type, the initial handshake will fail because MCP Manager can't register itself with the provider automatically. If this happens, you'll need to remove the server and re-add it using the Client Pre-Registration authentication type, then follow the steps below.

Step-by-Step Example: Connecting Asana

This walkthrough uses Asana as an example, but the same general pattern applies to any server that requires OAuth pre-registration. The provider-specific steps (where to find the developer console, how to create an app, where to paste the redirect URL) will vary, but the MCP Manager side of the process is always the same.

Before You Begin

You will need:

  • An Asana account with permission to create developer apps. You can access the developer console at https://app.asana.com/0/my-apps.
  • Access to MCP Manager with permission to add servers.

Step 1: Start Adding the Server in MCP Manager

  1. Navigate to MCP Servers in the left sidebar.
  2. Click + Add in the top-right corner.
  3. Select Remote as the server type.
  4. Enter Asana's MCP server URL: https://mcp.asana.com/v2/mcp
  5. For the authentication type, select Client Pre-Registration.

At this point, MCP Manager will display three fields:

  • Client ID — You'll fill this in after creating an app in Asana.
  • Client Secret — You'll fill this in after creating an app in Asana.
  • Redirect URL — This is displayed in a blue box in MCP Manager. You'll need to copy this value and paste it into Asana's developer console. Do not click Connect yet.

Important: Copy the Redirect URL from MCP Manager now and keep it handy. You will need it in the next few steps. This is the most commonly missed step in the process — skipping it will cause the connection to fail with a URL mismatch error.

Step 2: Create an App in Asana's Developer Console

  1. Open the Asana developer console at https://app.asana.com/0/my-apps.
  2. Click Create New App.
  3. Give the app a name (e.g., "MCP Manager").
  4. If prompted, select MCP as the app type. Asana's developer console supports both standard API apps and MCP apps — selecting MCP ensures the resulting tokens are scoped correctly for the MCP server.
  5. Under workspace access, select which Asana workspaces this app should have access to. If you choose "Specific workspaces," make sure to select at least one — leaving this blank will cause an authorization error later.
  6. Complete the app creation process.

Step 3: Copy the Client ID and Client Secret

Once your app is created, Asana's developer console will display a Client ID and a Client Secret. Copy each of these values and paste them into the corresponding fields in MCP Manager.

Note: Your Client Secret is sensitive and should never be shared or committed to source code. If you ever need to reset it, you can do so from the Asana developer console — but you'll need to update it in MCP Manager as well.

Step 4: Add the Redirect URL in Asana (Critical Step)

This is the step that most commonly causes connection failures. You must add MCP Manager's redirect URL to your Asana app settings before attempting to connect.

  1. In the Asana developer console, open your newly created app.
  2. Navigate to the OAuth tab in the app settings.
  3. Find the Redirect URL field.
  4. Paste the redirect URL you copied from MCP Manager in Step 1.
  5. Save the changes.

Where to find the Redirect URL in MCP Manager: When you select "Client Pre-Registration" as the authentication type, a blue box appears below the Client ID and Client Secret fields. The redirect URL is displayed inside this box. Copy the full URL exactly — including the protocol (https://) and any path segments. Do not add extra spaces or characters.

Step 5: Connect

  1. Go back to MCP Manager.
  2. Confirm that the Client ID, Client Secret, and server URL are filled in.
  3. Click Save.
  4. MCP Manager will initiate the OAuth handshake. You may be redirected to Asana's authorization page to approve access.
  5. Once approved, MCP Manager completes the connection and discovers the server's available tools.

Your Asana MCP server is now connected. You can assign it to a gateway and start using its tools from your AI client.

The General Pattern

The Asana walkthrough above illustrates a pattern that applies to every MCP server requiring OAuth pre-registration. Regardless of the provider, the process follows the same five steps:

  1. Start in MCP Manager — Add the remote server, select "Client Pre-Registration" as the auth type, and copy the redirect URL from the blue box.
  2. Go to the provider's developer console — Create a new app or integration in the third-party service.
  3. Copy the Client ID and Client Secret — Paste them into MCP Manager.
  4. Add the redirect URL to the provider — Paste MCP Manager's redirect URL into the provider's OAuth settings. This step is required before connecting.
  5. Connect in MCP Manager — Save and authorize. MCP Manager handles token exchange and refresh from here.

The specifics of where to find the developer console, how to create an app, and where to paste the redirect URL vary by provider. But the MCP Manager side of the flow is always the same.

Troubleshooting

"The request does not match the URL for the application"

This error means the redirect URL configured in the provider's developer console does not match what MCP Manager is sending. To fix it:

  • Go back to the provider's developer console and check the redirect URL in the app's OAuth settings.
  • Compare it to the redirect URL shown in MCP Manager's blue box. They must match exactly.
  • Check for common mistakes: extra spaces, missing https://, trailing slashes, or truncated URLs from incomplete copy-paste.
  • Save any changes in the provider's developer console and try connecting again in MCP Manager.

Initial handshake fails when using "Auto" authentication

If you added the server with the Auto authentication type and the connection failed immediately, the server likely requires pre-registration. Remove the server in MCP Manager, re-add it, and select Client Pre-Registration as the authentication type this time. Then follow the steps in this article.

Connection fails but the redirect URL looks correct

If you've verified the redirect URL and the connection still fails:

  • Make sure you saved the changes in the provider's developer console after adding the redirect URL. Some consoles require you to explicitly click a save button.
  • Verify that the Client ID and Client Secret are for the correct app. If you've created multiple apps in the developer console, make sure you're using the credentials from the one that has the MCP Manager redirect URL configured.
  • Try creating a fresh app in the developer console with a new Client ID and Client Secret, and repeat the process from the beginning.

Appendix: Popular MCP Servers That Use OAuth Pre-Registration

The following MCP servers in the MCP Manager server database use OAuth with client pre-registration. For each of these, you'll follow the general pattern described in this article — create an app in the provider's developer console, copy the Client ID and Client Secret into MCP Manager, and paste MCP Manager's redirect URL into the provider's OAuth settings.

Detailed provider-specific instructions are included below.

HubSpot

MCP Server URL: https://mcp.hubspot.com/
Developer docs: Integrate with the Remote HubSpot MCP Server

HubSpot uses a dedicated "MCP Auth Apps" section in their developer platform — this is separate from standard HubSpot public/private app creation.

  1. In your HubSpot account, navigate to Development in the left sidebar.
  2. In the sidebar menu, click MCP Auth Apps.
  3. Click Create MCP auth app in the upper right.
  4. Enter an app name (e.g., "MCP Manager") and an optional description.
  5. In the Redirect URL field, paste the redirect URL from MCP Manager. If you need multiple redirect URLs, the first one will be used as the default.
  6. Optionally upload an icon for your app.
  7. Click Create. You'll be redirected to the app's details page.
  8. On the details page, copy the Client ID and Client Secret and paste both into MCP Manager.

Additional notes:

  • HubSpot's MCP server uses OAuth 2.1 with PKCE (Proof Key for Code Exchange). MCP Manager handles PKCE automatically — no extra configuration is needed on your end.
  • You do not need to configure scopes manually. Available scopes are determined automatically based on the tools in the MCP server and the permissions each user grants when they first connect.
  • The HubSpot remote MCP server currently provides read-only access to CRM objects including contacts, companies, deals, tickets, carts, products, orders, line items, invoices, quotes, and subscriptions.
  • Keep the Client Secret secure — it grants the ability to initiate OAuth requests on behalf of your app.
  • To edit your app details after creation, click Edit info in the upper right of the app details page.

GitHub

MCP Server URL: https://api.githubcopilot.com/mcp/
Developer docs: Set up the GitHub MCP server

GitHub supports two authentication methods — OAuth and personal access token (PAT) via custom headers. If you just need quick access for yourself, the token method is simpler and doesn't require creating an OAuth app.

Option A: OAuth (Client Pre-Registration)

  1. Go to Settings → Developer settings → OAuth Apps in your GitHub account, or navigate directly to github.com/settings/developers.
  2. Click Register a new application (or New OAuth App).
  3. Fill in the required fields:
    • Application name: e.g., "MCP Manager"
    • Homepage URL: Your company's URL or MCP Manager's URL.
    • Authorization callback URL: Paste the redirect URL from MCP Manager. This must match exactly — it is the most important field for a successful connection.
  4. Click Register application.
  5. On the app details page, note your Client ID.
  6. Click Generate a new client secret. Copy the secret immediately — GitHub only shows it once.
  7. Paste both the Client ID and Client Secret into MCP Manager.

Simpler alternative — Option B: Token via custom headers. If you don't need OAuth, you can connect GitHub using a personal access token instead. No Client ID or Client Secret is required. Generate a PAT from Settings → Developer settings → Personal access tokens → Tokens (classic). Then add the GitHub MCP server in MCP Manager using the Headers authentication type with the header name Authorization and value Bearer your-token-here.

Atlassian (Jira, Confluence, Compass)

MCP Server URL: https://mcp.atlassian.com/v1/mcp
Admin guide: Control Atlassian Rovo MCP server settings

Atlassian is a special case. It supports standard OAuth with dynamic client registration, so you do not need to provide a Client ID or Client Secret in MCP Manager. However, Atlassian blocks unrecognized MCP clients by default. An organization admin must allowlist MCP Manager's domain before anyone in your org can connect.

Before adding the Atlassian MCP server in MCP Manager:

  1. Have an Atlassian organization admin log in to admin.atlassian.com.
  2. Navigate to Security → AI Settings/Rovo Settings → Rovo MCP server settings (the exact path may vary by Atlassian plan).

  3. In the client domain allowlist, add MCP Manager's domain. The domain to add is the hostname from MCP Manager's redirect URL (visible when you start adding the server in MCP Manager):

    https://app.mcpmanager.ai/**
  4. Save the allowlist changes.

Then, in MCP Manager:

  1. Add the Atlassian MCP server as a Remote server.
  2. For authentication type, select Auto. No Client ID or Client Secret is needed.
  3. MCP Manager will handle the OAuth flow automatically — you'll be redirected to Atlassian's authorization page to approve access.

Note: If you skip the allowlist step, the OAuth handshake will fail because Atlassian rejects connections from unrecognized MCP client domains. This is an admin-level setting — individual users cannot configure it themselves. If you're not an Atlassian admin, you'll need to request that your admin complete this step before you can connect.

ServiceNow

MCP Server URL: https://<your-instance>.service-now.com/sncapps/mcp-server/mcp/<server-name>
Developer docs: Connect an MCP server to a client – ServiceNow Docs

ServiceNow uses OAuth configured through the platform's Application Registry. You'll need admin access to your ServiceNow instance to create the OAuth application.

  1. In your ServiceNow instance, navigate to System OAuth → Application Registry.
  2. Click New and select Create an OAuth API endpoint for external clients.
  3. Fill in the required fields:
    • Name: e.g., "MCP Manager"
    • Client type: Confidential (leave "Public Client" unchecked)
    • Redirect URL: Paste the redirect URL from MCP Manager
  4. Save the record. ServiceNow will generate a Client ID and Client Secret.
  5. Copy both values into MCP Manager.

Additional notes:

  • Replace <your-instance> in the URL with your actual ServiceNow instance name (e.g., mycompany) and <server-name> with the MCP server name defined in your MCP Server Console.
  • MCP server functionality requires the Zurich release (Patch 4 or later) and a Now Assist SKU.
  • Ensure these OAuth plugins are activated on your instance: com.snc.platform.security.oauth, com.glide.rest, com.glide.auth.scope, and com.glide.rest.auth.scope.
  • ServiceNow currently supports OAuth 2.0 — full OAuth 2.1 support is on their roadmap.
  • The MCP Server Console exposes Now Assist Skills as tools. Custom scripts and flows cannot be exposed directly, but can be wrapped inside a Skill and then exposed via MCP.
  • The token endpoint for your instance is: https://<your-instance>.service-now.com/oauth_token.do

Snowflake

MCP Server URL: https://<account_url>/api/v2/databases/<database>/schemas/<schema>/mcp-servers/<name>
Developer docs: Snowflake-managed MCP server – Snowflake Docs

Snowflake doesn't have a web-based developer console for creating OAuth apps. Instead, you create an OAuth security integration using SQL commands in a Snowflake worksheet. This requires the ACCOUNTADMIN role or the CREATE INTEGRATION privilege.

  1. In a Snowflake SQL worksheet, run the following command to create an OAuth security integration. Replace the redirect URI with the redirect URL you copied from MCP Manager:

    CREATE SECURITY INTEGRATION mcp_manager_integration
  TYPE = OAUTH
  OAUTH_CLIENT = CUSTOM
  ENABLED = TRUE
  OAUTH_CLIENT_TYPE = 'CONFIDENTIAL'
  OAUTH_REDIRECT_URI = '<redirect_url_from_mcp_manager>'
  OAUTH_ISSUE_REFRESH_TOKENS = TRUE
  OAUTH_REFRESH_TOKEN_VALIDITY = 86400;

  2. Retrieve the Client ID by describing the integration (note: the integration name must be in uppercase):

    DESCRIBE SECURITY INTEGRATION MCP_MANAGER_INTEGRATION;

    Look for the OAUTH_CLIENT_ID value in the results table.

  3. Retrieve the Client Secret:

    SELECT SYSTEM$SHOW_OAUTH_CLIENT_SECRETS('MCP_MANAGER_INTEGRATION');

    This returns a JSON object containing the OAUTH_CLIENT_SECRET. Store this value securely.

  4. Copy both the Client ID and Client Secret into MCP Manager.

Additional notes:

  • Snowflake does not support dynamic client registration — pre-registration via the security integration is required.
  • Replace the placeholders in the MCP Server URL with your actual Snowflake account URL, database, schema, and MCP server name. Use hyphens (not underscores) in hostnames — MCP connection protocols often fail if the hostname contains underscores.
  • The MCP server object must be created separately in Snowflake using CREATE MCP SERVER with the appropriate tool configuration (Cortex Analyst, Cortex Search, SQL execution, etc.). See the Snowflake MCP documentation for the full server setup process.
  • Snowflake recommends OAuth over programmatic access tokens (PATs) for production use due to token leakage risks.
  • RBAC applies: the role associated with the OAuth token determines which MCP tools and data the user can access. Access to the MCP server does not automatically grant access to the tools — permissions must be granted for each tool separately.

New Relic

MCP Server URL: https://mcp.newrelic.com/mcp/
Developer docs: New Relic MCP Setup

New Relic supports both OAuth and API key authentication. For most use cases, the API key approach via custom headers is the fastest way to connect — and it doesn't require creating an OAuth app.

Option A: API Key via custom headers (recommended for simplicity)

  1. In New Relic, go to your API keys page and create or locate a User API key (these begin with NRAK-).
  2. In MCP Manager, add the server using the Headers authentication type.
  3. Set the header name to Api-Key and the value to your New Relic API key.

Option B: OAuth (Client Pre-Registration)

For OAuth, follow the pre-registration flow using New Relic's developer settings to create an OAuth application and obtain a Client ID and Client Secret. See the New Relic MCP setup documentation for OAuth-specific instructions.

Additional notes:

Salesforce Hosted

MCP Server URL: https://api.salesforce.com/platform/mcp/v1-beta.2/sandbox/<server-name>
Developer docs: Configure Your MCP Client – Salesforce MCP Hosted Wiki

Salesforce requires you to create a Connected App in Salesforce Setup. Salesforce uses different terminology than most providers — what they call Consumer Key is your Client ID, and Consumer Secret is your Client Secret.

  1. In Salesforce, go to Setup → App Manager.
  2. Click New Connected App.
  3. Fill in the basic information (app name, contact email).
  4. Under API (Enable OAuth Settings), check Enable OAuth Settings.
  5. In the Callback URL field, paste the redirect URL from MCP Manager.
  6. Select the appropriate OAuth scopes for your use case (e.g., "Manage user data via APIs", "Access unique user identifiers").
  7. Save the Connected App. It may take a few minutes to propagate.
  8. Once created, navigate to the app's details. Copy the Consumer Key (Client ID) and click to reveal and copy the Consumer Secret (Client Secret).
  9. Paste both values into MCP Manager's Client ID and Client Secret fields.

Additional notes:

  • The hosted MCP server is currently in beta and works in sandbox and developer orgs.
  • Replace <server-name> in the URL with your specific MCP server name.
  • There are known client compatibility issues: some fully MCP-spec-compliant clients may encounter errors during initialization (the server does not yet handle all capabilities negotiation features, such as elicitation). This is a known limitation of the beta.
  • If the Connected App takes several minutes to become available after creation, this is normal Salesforce propagation behavior.

 

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk