OAuth + bearer tokens

MCP authenticates with a bearer token. Either an aly_* API key (long-lived, owner-issued) or an aly_oauth_* OAuth token (consent-issued, refreshable). Both formats are accepted on the same Authorization header.

Header

1Authorization: Bearer aly_a8d9c1...e3c72Content-Type: application/json

API key flow

1. Go to Aly → Settings → API keys.
2. Click New key, name it, pick scopes.
3. Copy the key once. It starts with aly_.
4. Put it in your MCP client config under Authorization: Bearer ....

OAuth 2.1 flow

For multi-tenant integrations where each user installs the integration into their own workspace.

1. Register the OAuth client

Use dynamic client registration, or register a static client in the dashboard. You'll receive a client_id and client_secret.

2. Send the user to consent

1GET https://aly.store/oauth/authorize2  ?response_type=code3  &client_id=<id>4  &redirect_uri=<uri>5  &scope=read:sites read:content read:orders6  &state=<random>7  &code_challenge=<pkce>8  &code_challenge_method=S256

3. Exchange the code

1curl -X POST https://aly.store/oauth/token \2  -d grant_type=authorization_code \3  -d code=<code> \4  -d redirect_uri=<uri> \5  -d client_id=<id> \6  -d client_secret=<secret> \7  -d code_verifier=<pkce-verifier>

The response body contains access_token (aly_oauth_*), refresh_token, expires_in, and the granted scope string.

4. Call MCP

Use the access token exactly as you would an API key — Authorization: Bearer aly_oauth_....

Discovery

OAuth 2.1 metadata is published in standard form:

1curl https://aly.store/.well-known/oauth-authorization-server

Token lifetime

Errors