---
title: OAuth and revocation
description: How hosted MCP authorization, consent, refresh, and revocation work.
product: platform
lifecycle: beta
appliesTo: hosted MCP OAuth
sourceArtifact: hosted-mcp@workspace-runtime-v1
owner: Agent access owner
raw: /raw/platform/oauth.md
---

The MCP client discovers Sift's authorization endpoints, opens browser consent, and receives a scoped grant. The docs origin never receives the token. Consent identifies the workspace and requested capabilities; cancel if either is unexpected.

Revoke from the client or Sift connection controls, then reload the client's tools. Logout/revocation invalidates future access but does not erase already-audited actions. Use local CLI credentials only for the local fallback and never copy them into a remote MCP JSON file.
