The oakallow MCP connector at api.oakallow.io/mcp implements OAuth 2.1 BCP and the MCP Authorization Specification (2025-03-26). PKCE with S256 is required on every authorization, the implicit flow and resource-owner password grant are not accepted, refresh tokens rotate on every use, redirect URIs are exact-matched, and every authorization, token issuance, and revocation is recorded in our audit log.
The full endpoint table, scope descriptions, supported flows, token lifetimes, revocation paths, and per-claim compliance evidence are documented at oakallow.io/docs/oauth. That page is the canonical reference we share with AI-platform review teams when submitting connector listings.