Connect Universal API MCP Servers to Claude as Custom Connectors — OAuth Is Here

As of today, every MCP server hosted on Universal API works as a Claude custom connector — on Claude.ai, the Claude desktop app, and Claude Code. No API keys to copy. No client IDs or secrets. Just paste the server URL, sign in, and approve.

Under the hood, we shipped a complete OAuth 2.1 authorization server implementing the MCP authorization spec: RFC 9728 protected resource metadata, RFC 8414 authorization server metadata, RFC 7591 Dynamic Client Registration, and PKCE (S256) on every flow.

Connecting from Claude.ai

1. Open Settings → Connectors → Add custom connector

2. Enter a name and your MCP server URL, for example:

   https://mcp.api.universalapi.co/mcp/s/snowtimber/universalapi-full

3. Leave OAuth Client ID and Client Secret blank — Claude registers itself automatically via Dynamic Client Registration.

4. Claude opens the Universal API consent page. Sign in with your account, review the permissions, and click Approve.

5. Done. Claude now has an access token scoped to your account and can call the server's tools.

The same flow works in Claude Code:

claude mcp add --transport http universalapi https://mcp.api.universalapi.co/mcp/s/snowtimber/universalapi-full

Claude Code detects the 401 challenge, discovers our OAuth endpoints, and walks you through the browser sign-in.

How the flow works

Claude → POST /mcp/{server}            → 401 + WWW-Authenticate: resource_metadata=...
Claude → GET /.well-known/oauth-protected-resource   → points to our authorization server
Claude → GET /.well-known/oauth-authorization-server → endpoint discovery (RFC 8414)
Claude → POST /oauth/register          → Dynamic Client Registration (RFC 7591)
Claude → GET /oauth/authorize + PKCE   → redirects you to the consent page
You    → Sign in & approve             → authorization code issued
Claude → POST /oauth/token             → access token (a standard UAPI bearer token)
Claude → POST /mcp/{server}            → 200 ✅

The token Claude receives is a regular uapi_ut_* access token under the hood — the same token type you'd create manually on the Tokens page. It appears in your token list (marked as OAuth-issued), respects credit limits, and can be revoked at any time.

Backward compatibility: what changed, what didn't

✅ Unchanged — Bearer token integrations

If your client, agent, or script sends an Authorization: Bearer uapi_ut_... header, nothing changed. This remains a fully supported, first-class connection method and is still the right choice for:

• Server-to-server integrations and CI pipelines
• Cline / Cursor / custom MCP clients where you manage your own tokens
• Agents calling MCP servers programmatically

Cognito JWTs (browser sessions), role tokens (uapi_rt_*), and all existing auth paths also work exactly as before.

⚠️ Changed — anonymous MCP access retired

Previously, requests to MCP endpoints without any auth header were allowed through on a rate-limited, IP-based anonymous tier. That behavior is now retired: unauthenticated MCP requests return 401 Unauthorized with a WWW-Authenticate header.

This change is what makes the OAuth flow possible — MCP clients use the 401 challenge to discover our authorization server. It also closes an abuse vector for unattributed traffic.

If you saw new 401 errors on June 10–11: your client was likely connecting without a token. The fix takes one minute:

1. Create a token at universalapi.co/tokens (or let Claude's OAuth flow create one for you)
2. Add the header: Authorization: Bearer uapi_ut_...

That's it — your integration is back, and now properly attributed to your account with its own usage logs and credit tracking.

Which connection method should you use?

Client	Recommended method
Claude.ai / Claude desktop	Custom connector (OAuth) — paste the URL, sign in
Claude Code	OAuth via claude mcp add — automatic discovery
Cline / Cursor	Bearer token in the Authorization header
Strands agents on UAPI	Bearer token (auto-injected at runtime)
Scripts / curl / CI	Bearer token

Both methods produce the same underlying token, hit the same endpoints, and bill the same way. OAuth is simply the better UX for interactive clients; bearer tokens are better for automation.

Try it now

Pick any public server from the MCP server marketplace — web search, Google Suite, SerpAPI, document analysis, and more — and add it to Claude as a custom connector. Full details in the authentication docs.

Questions or hit a snag during the migration? Reach out — we're happy to help you switch over.