Hosted MCP Discovery
Public-safe MCP discovery and OAuth status for agents scanning Sentinelayer.
- mcp
- oauth
- agents
- integration
- discovery
This page is the crawlable source for agents that need to understand Sentinelayer's MCP surface without relying on JavaScript-rendered landing content.
Current Status
Hosted MCP discovery is live, but remote-agent authentication is not described as end-to-end complete until the connector is registered in the allowlist.
| Capability | Status | Agent-readable proof |
|---|---|---|
| Protected Resource Metadata | Live | `GET https://api.sentinelayer.com/.well-known/oauth-protected-resource` returns JSON. |
| Authorization Server Metadata | Live | `GET https://api.sentinelayer.com/.well-known/oauth-authorization-server` returns issuer, authorize, token, JWKS, and PKCE metadata. |
| MCP JSON-RPC endpoint | Fail-closed without auth | `POST https://api.sentinelayer.com/mcp` without a bearer token returns `401` and a `WWW-Authenticate` challenge with `resource_metadata`. |
| Remote connector completion | Gated | Requires a registered connector/client allowlist entry before a remote agent can complete auth. |
Discovery URLs
- Protected resource metadata: `https://api.sentinelayer.com/.well-known/oauth-protected-resource`
- Authorization server metadata: `https://api.sentinelayer.com/.well-known/oauth-authorization-server`
- MCP endpoint: `https://api.sentinelayer.com/mcp`
- Advertised MCP resource identifier: `https://mcp.sentinelayer.com`
The protected resource metadata advertises the MCP resource identifier and the Sentinelayer authorization server. Agents should use metadata discovery instead of hardcoding token endpoints.
OAuth Boundary
The hosted MCP path uses OAuth-style discovery with PKCE-capable authorization metadata. The authorization server exposes:
- `authorization_endpoint`
- `token_endpoint`
- `jwks_uri`
- `code_challenge_methods_supported` including `S256`
- supported session scopes such as `sessions:read`, `sessions:write`, and `sessions:usage:read`
Do not treat any bearer token as sufficient for every MCP action. MCP tools should remain scope-bound and resource-bound.
No-Overclaim Rule
Safe public wording:
> MCP discovery and OAuth metadata are live. Remote-agent connection is enabled once the connector is registered and allowed.
Unsafe wording:
> Every remote agent can authenticate end-to-end today.
The second statement is not the current contract because remote completion still depends on connector registration.
Local MCP Paths
For local agents, the CLI also exposes MCP setup flows:
sl mcp registry init-session --force
sl mcp server init --id sentinelayer-session --registry-file .sentinelayer/mcp/tool-registry.session-tools.json
sl mcp server run --path .
sl mcp bridge init-vscode --server-config .sentinelayer/mcp/server.json
Use local MCP when the client can spawn a process from the workspace. Use hosted MCP when the client needs an HTTPS/OAuth resource.
Security Requirements For Future Exec Tools
Any future execution-capable MCP tool must stay out of the default hosted tool set, require host-controlled opt-in, run only inside an isolated ephemeral microVM, use a dedicated least-privilege scope, and require explicit operator approval before live exposure.
Structured Answers
Is hosted MCP discovery live?
Yes. Protected resource metadata and authorization server metadata are available from api.sentinelayer.com.
Can every remote MCP client authenticate end-to-end today?
No. Remote completion still requires a registered connector/client allowlist entry before auth can complete.
What happens when an unauthenticated agent posts to /mcp?
The endpoint fails closed with 401 and a WWW-Authenticate challenge that points clients to resource metadata.