OAuth Endpoints

email-connector implements a complete OAuth 2.0 authorization server with PKCE support.

Server Metadata

Discover all OAuth endpoints via RFC 8414.

GET /oauth/meta

Response

{
  "issuer": "https://email-connector.fly.dev",
  "authorization_endpoint": "https://email-connector.fly.dev/oauth/authorize",
  "token_endpoint": "https://email-connector.fly.dev/oauth/token",
  "revocation_endpoint": "https://email-connector.fly.dev/oauth/revoke",
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code"],
  "code_challenge_methods_supported": ["S256"],
  "token_endpoint_auth_methods_supported": ["client_secret_post"]
}

Authorization

Start the OAuth flow. Claude opens this in a browser popup.

GET /oauth/authorize

Query Parameters

Parameter	Required	Description
`client_id`	Yes	OAuth client ID
`redirect_uri`	Yes	Must be in the allowlist
`response_type`	Yes	Must be `code`
`code_challenge`	Yes	`BASE64URL(SHA256(code_verifier))`
`code_challenge_method`	Yes	Must be `S256`
`state`	Yes	CSRF protection token

Allowed Redirect URIs

https://claude.ai/api/mcp/auth_callback
https://claude.com/api/mcp/auth_callback
http://localhost:6274/oauth/callback
http://localhost:6274/oauth/callback/debug

Response Renders the email setup form (HTML). Error Responses

Status	Cause
400	Invalid `response_type`, missing PKCE, invalid `redirect_uri`, or missing `state`
401	Invalid `client_id`

Connect

Submit email credentials from the setup form. Not called directly by Claude.

POST /oauth/connect
Content-Type: application/x-www-form-urlencoded

Body Parameters

Parameter	Required	Description
`state`	Yes	State from the authorization request
`provider`	Yes	Email provider (`icloud`, `outlook`, `yahoo`, `fastmail`, `protonmail`, `generic`)
`address`	Yes	Email address
`password`	Yes	App-specific password
`imap_host`	No	Custom IMAP hostname (generic provider)
`imap_port`	No	Custom IMAP port
`imap_tls`	No	`true` or `false`
`smtp_host`	No	Custom SMTP hostname
`smtp_port`	No	Custom SMTP port
`smtp_secure`	No	`true` or `false`

On Success Redirects to redirect_uri?code=<auth_code>&state=<state>. On Failure Re-renders the setup form with a user-friendly error message. Credentials are validated via a live IMAP connection before any code is issued.

Token Exchange

Exchange an authorization code for an access token.

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

Body Parameters

Parameter	Required	Description
`grant_type`	Yes	Must be `authorization_code`
`code`	Yes	Authorization code from callback
`client_id`	Yes	OAuth client ID
`client_secret`	Yes	OAuth client secret
`code_verifier`	Yes	PKCE code verifier (original random string)
`redirect_uri`	No	Must match the original authorization request

Success Response (200)

{
  "access_token": "64-char-hex-token",
  "token_type": "Bearer",
  "expires_in": 2592000,
  "scope": "email:read email:write"
}

Error Responses

Status	Error	Cause
400	`unsupported_grant_type`	Not `authorization_code`
400	`invalid_request`	Missing `code_verifier`
400	`invalid_grant`	Code expired, used, or PKCE mismatch
401	`invalid_client`	Wrong `client_id` or `client_secret`

Revocation

Revoke an access token.

POST /oauth/revoke
Content-Type: application/json

Body

{
  "token": "<access_token>"
}

Response (200)

{
  "revoked": true
}

Always returns 200 regardless of whether the token existed. This prevents token existence probing.

API Reference

​OAuth Endpoints

​Server Metadata

​Authorization

​Connect

​Token Exchange

​Revocation