OAuth is Toqan’s unified authentication system for Custom Tools and MCPs. It replaces shared API keys with individual, user-level authentication, meaning each user connects with their own credentials, permissions are enforced by the source platform, and every action is tied to a specific user.
How it works
When a user authenticates via OAuth:
- They’re redirected to the platform’s login page
- They log in with their own credentials
- The platform redirects back to Toqan with a user-specific token
- That token is stored securely and used for all future tool calls
The platform remains the source of truth. Users can only do what they’re already permitted to do on that platform, Toqan doesn’t grant any additional access.
Central vs. individual connectors
You can attach an OAuth connector directly to a single tool, but the recommended approach is Central OAuth Connectors.
Central connectors are created once and reused across multiple tools and MCPs. When you update a central connector, the change cascades to everything using it. Workspace admins can create them once and make them available company-wide, so users get a 2-click setup without needing to understand the underlying configuration.
Use individual connectors only when a tool has a unique authentication requirement not shared with anything else.
Supported platforms
Toqan supports standard OAuth 2.0 / OIDC, which covers most major platforms:
- Google services (BigQuery, Drive, Sheets, etc.)
- Salesforce
- Microsoft 365
- GitHub
- Any platform with standard OAuth 2.0 support
Creating a central OAuth connector
Go to Connections > OAuth Connectors and click Create.
Choose your starting point
From a template, select a pre-configured template for popular services (Salesforce, Google, GitHub, etc.). Endpoints and scopes are pre-filled.
From scratch, manually configure all OAuth settings. Use this for custom or less common platforms.
From a discovery URL, if connecting an OAuth 2.0 MCP, paste the discovery URL (format: https://example.com/.well-known/oauth-authorization-server) and click Check to auto-fill all settings. Fastest option for MCP-based integrations.
Basic information
- Name, something descriptive, e.g. “Salesforce Production” or “Google Workspace”
- Description, optional context about what this connector is for
- Access, set to Public to make it available company-wide, or Private to restrict to workspace admins only. Public connectors can only be created by workspace admins.
OAuth configuration
| Field | Required | Description |
|---|---|---|
| Authorization Endpoint | Yes | URL where users are sent to authenticate |
| Token Endpoint | Yes | URL where Toqan exchanges auth codes for tokens |
| Revocation Endpoint | No | URL for revoking tokens |
| Issuer | No | Base authorization server URL |
Allowed domains
Allowed domains control which API endpoints are permitted to use this connector. This is a security boundary, if an endpoint isn’t covered, calls will fail.
Use wildcards to keep configuration flexible:
| Pattern | What it matches |
|---|---|
https://*.databricks.com/* | All Databricks subdomains and paths |
https://api.platform.com/* | All paths under a single domain |
https://api.platform.com/v1/* | Only v1 API paths |
For multi-tenant platforms like Databricks or Salesforce, use https://*.platform.com/*. Be specific enough for security, but not so restrictive that legitimate calls fail.
Redirect URI
Toqan generates a redirect URI for your connector:
https://work.toqan.ai/callback/oauth
You must copy this and add it to your OAuth app’s settings in the platform. Without this step, authentication will fail. Look for “Redirect URIs” or “Callback URLs” in the platform’s developer or admin settings.
Client credentials
Unless you’re using Dynamic Client Registration (DCR), you’ll need to provide:
- Client ID, the unique identifier for your OAuth app in the platform
- Client Secret, the secret key. Keep this secure, never share it publicly.
Find these in your platform’s developer console, admin panel, or API credentials section.
Advanced settings
These are optional and platform-dependent:
- Scopes, permissions to request (e.g.
read:user, write:data). Refer to your platform’s OAuth docs. - Token endpoint auth method, typically
client_secret_basicorclient_secret_post - Grant types, typically
authorization_code,refresh_token - Code challenge methods, for PKCE:
S256orplain
Save and test
Click Create, then test the connector by adding it to a tool and running through the authentication flow. If it fails, check the troubleshooting section below.
Adding a connector to a tool or MCP
- Open Create or Edit on a Custom Tool or MCP
- In the Authentication section, select your OAuth connector from the dropdown
- Save
Users will then be prompted to authenticate the first time they use the tool.
Troubleshooting
“Endpoint not allowed”
The API endpoint being called isn’t covered by the connector’s allowed domains. Add the domain or expand your wildcard pattern. For example, for https://abc123.databricks.com/api/v1/query, add https://*.databricks.com/*.
“Redirect URI mismatch”
The redirect URI in Toqan doesn’t match what’s registered in the platform. Copy https://work.toqan.ai/callback/oauth exactly and add it to the platform’s OAuth app settings.
“Invalid client” The Client ID or Client Secret is wrong. Edit the connector, verify both values against what’s in the platform, and regenerate credentials if needed.