OAuth setup
Connect Claude Desktop, ChatGPT, Cursor, and other MCP clients to AI Connector using OAuth 2.1, Device Auth, or Application Passwords.
Updated
AI Connector supports three authentication methods. Pick the one that matches your client:
| Client | Recommended method |
|---|---|
| Claude Desktop | OAuth 2.1 |
| ChatGPT | OAuth 2.1 |
| Cursor | OAuth 2.1 |
| Custom CLI / headless agent | Device Auth |
| Older clients without OAuth support | Application Passwords |
This guide covers all three, in that order.
Option 1 — OAuth 2.1 (recommended)
OAuth is the modern, secure default. The agent never sees your WP admin password; it gets a scoped token your site can revoke at any time.
Connecting Claude Desktop
- In WP admin, go to AI Connector → Connections → Add Connection.
- Click Connect Claude Desktop.
- A browser tab opens with an authorization screen. Click Authorize.
- The browser hands the resulting token back to Claude Desktop automatically. You should see “Axtolab AI Connector” appear in Claude’s MCP server list within a few seconds.
- Open Claude Desktop and start a new chat. Type “List my recent posts” — if you get a result, the connection is working.
If the auto-handoff doesn’t fire (sometimes happens on first install), click the manual Copy connection details button and paste them into Claude Desktop’s settings under MCP servers.
Connecting ChatGPT
ChatGPT’s MCP support is via the desktop app or the Custom Connectors workflow.
- In WP admin, go to AI Connector → Connections → Add Connection.
- Click Connect ChatGPT and copy the connector URL it generates.
- In ChatGPT, go to Settings → Connectors → Add Custom Connector.
- Paste the URL and authorize when prompted.
Connecting Cursor
Cursor uses the same OAuth flow as Claude Desktop:
- In WP admin, go to AI Connector → Connections → Add Connection.
- Click Connect Cursor.
- Authorize in the browser. Cursor picks up the connection from its MCP config automatically.
Connecting any MCP-compatible client
For clients we don’t have a one-click button for:
- In WP admin, go to AI Connector → Connections → Add Connection → Generic MCP client.
- Copy the displayed Authorization URL, Token URL, and Client ID.
- Configure your MCP client with those three values; it walks you through the OAuth dance from there.
Option 2 — Device Auth (CLI and headless agents)
Device Auth is for clients that don’t have a browser available — CI runners, headless scripts, server-side agents.
- In WP admin, go to AI Connector → Connections → Add Connection → Device Auth.
- Run the displayed
device_authorization_requestcommand on the machine where the agent runs. - The command prints a short user code and a verification URL.
- On any device with a browser, visit the verification URL, log in, and enter the user code.
- The agent on the original machine receives its token within seconds.
Device Auth tokens work the same as OAuth tokens — same scopes, same revocability — they just pass through a one-time human verification step instead of a redirect URL.
Option 3 — Application Passwords (fallback)
WordPress’s built-in Application Passwords feature works as a fallback for older MCP clients:
- In WP admin, go to Users → Profile → Application Passwords.
- Generate a new password named “AI Connector” (or whatever helps you remember which agent uses it).
- Configure your MCP client with your WP username and the generated password.
Application Passwords have important limitations:
- They authenticate as your WP user — full admin scope, no per-agent scoping
- They cannot be revoked individually if compromised; only at the user level
- They don’t show up in the AI Connector audit log with the same fidelity as OAuth connections
- The User Management add-on only fully covers OAuth connections
Use Application Passwords when nothing else works, then plan to migrate to OAuth.
Managing connections
The AI Connector → Connections page lists every active connection with:
- The agent name (e.g., “Claude Desktop on MacBook Pro”)
- Date connected
- Last active time
- Authentication method
- Active scope
To revoke a connection, click Revoke on its row. The agent’s token is invalidated immediately, in-flight requests are cancelled, and the audit log records the revocation.
To re-authorize after a revoke, the agent goes through the connection flow again from scratch — old tokens cannot be reused.
Token lifetimes
- OAuth access tokens expire every hour and refresh automatically using the refresh token
- OAuth refresh tokens are valid until you revoke the connection
- Device Auth tokens behave identically to OAuth tokens
- Application Passwords never expire; you must rotate them manually
Where to go next
- Security best practices — locking down OAuth in production
- Supported tools — what each connection can actually do
- Troubleshooting — when OAuth doesn’t work
- User Management add-on — for per-agent permissions and approval workflows