Which MCPs need OAuth
The MCP catalog badges tell you:- OAuth - this MCP uses a one-time browser auth flow
- PAT - this MCP uses a personal access token you paste once
- API key - this MCP uses an API key in env vars
Flow A - Click Connect (dynamic registration)
Works for providers that support dynamic client registration (Figma, some others):- Open the MCP catalog and pick the template
- Click Connect
- SlackHive opens the provider’s OAuth consent page
- Approve the scopes
- The browser redirects back - tokens are stored encrypted
Flow B - Paste a token
Works for providers that don’t support dynamic registration (most enterprise SaaS):- Open the MCP catalog and pick the template
- SlackHive shows a link to the provider’s token-generation page
- Open the link, create a token with the scopes the hint shows
- Paste the token into the MCP’s auth field
- Save
Flow C - Import from Claude Code CLI
If you’ve already authenticated an MCP through the Claude Code CLI, SlackHive can detect and import it:- Open the MCP catalog
- Scroll to Detected from Claude Code CLI - you’ll see a list of CLI-authenticated MCPs
- Click Add on the one you want - it imports in one click with a CLI badge
Token refresh
- macOS - SlackHive reads the Claude Code Keychain and auto-refreshes OAuth tokens when they expire. On 401 errors, it refreshes once and retries.
- Linux - reads from secret-tool (GNOME Keyring) on the same path.
- Other setups - if auto-refresh isn’t available, reconnect manually from the catalog.
When Connect fails
- “Dynamic registration rejected” - the provider doesn’t support it. Switch to Flow B (token paste).
- “Invalid scopes” - re-generate the token with the exact scopes the hint shows.
- “Redirect URI mismatch” - check that
http://localhost:3001is allowed in the provider’s app settings. - “Token expired” - reconnect from the catalog, or re-paste a fresh token.