# Authentication

Every MCP client connects to Comind.work as a specific user. The client either signs in with that user's Comind.work credentials (OAuth, the default), or carries a long-lived API token issued for that user. Either way, the AI sees exactly what the user sees - workspace and app permissions are enforced server-side on every call.

## OAuth (default)[​](#oauth-default "Direct link to OAuth (default)")

OAuth is the standard way to connect any AI tool to Comind.work. Your configuration only needs the server URL - on first use, the client opens a browser window where you sign in with your Comind.work credentials:

claude\_desktop\_config.json (example)

```
{
  "mcpServers": {
    "comind": {
      "url": "https://mcp.comind.work/your-company"
    }
  }
}
```

OAuth sessions are tied to your user account, respect your permissions, and expire automatically. No secrets need to be copied into config files.

The first time a client connects, Comind.work shows a consent screen listing the access the requesting application will have. Approve to finish the connection, or deny to cancel.

![Comind.work OAuth consent screen listing the requested permissions: verify identity, access profile information, access email address, access API endpoints from AI agents](/assets/images/oauth-consent-24fed406f4dc7152bb75e2b8a9dd7b93.png)

## Manual API tokens (alternative)[​](#manual-api-tokens-alternative "Direct link to Manual API tokens (alternative)")

As an alternative, you can authenticate with a long-lived API token issued by your administrator. This is occasionally useful for automation or for MCP clients that do not implement the OAuth flow:

claude\_desktop\_config.json (token alternative)

```
{
  "mcpServers": {
    "comind": {
      "url": "https://mcp.comind.work/your-company",
      "headers": {
        "Authorization": "Bearer YOUR-TOKEN-HERE"
      }
    }
  }
}
```

Manual tokens do not expire automatically - rotate them periodically and revoke when no longer needed. Prefer OAuth when the client supports it.

The claude.ai web app does not accept manual tokens - every connection there goes through OAuth.

## Next steps[​](#next-steps "Direct link to Next steps")

* [Connect Claude](/ai/connect-claude.md), [Connect ChatGPT](/ai/connect-chatgpt.md), [Connect Cursor](/ai/connect-cursor.md), or [Connect VS Code](/ai/connect-vscode.md) - per-client setup
* [Getting started with AI](/ai/getting-started-with-ai.md) - overview of MCP and what the AI can do
* [Security overview](/admin-guide/system-admin/security-overview.md) - how AI agent access fits into the platform's broader security model