Experimental MCP identity tools

AI-safe login links for sites you own.

MagicAuth MCP gives an authenticated user a small AI-facing tool surface: list owned apps, prepare site verification, and create short-lived one-time self-login links. The API stays on api.magicauth.app.

Get a dashboard token View contract

POST https://api.magicauth.app/mcp/execute Authorization: Bearer YOUR_MCP_TOKEN Content-Type: application/json { "tool": "create_self_login_link", "parameters": { "app_id": 123, "redirect_url": "https://yourdomain.com/dashboard" } }

What it can do

Create a one-time login link for the currently authenticated MagicAuth user. The link is scoped to one owned MagicAuth app and one allowed domain.

What it cannot do

It cannot silently log arbitrary people into arbitrary sites. Third-party invite automation needs verified-domain invite permissions before it should exist.

Why this shape

AI agents can help users get into their own tools quickly while MagicAuth keeps one-time-token, redirect, and domain ownership boundaries intact.

Endpoints

POST /mcp/token issues a scoped 30-day MCP bearer token for the signed-in dashboard user.
GET /mcp/tools or POST /mcp/tools lists available tools.
GET /mcp/context returns user and owned-app context without app secrets.
POST /mcp/execute runs list_apps, prepare_site_registration, create_self_login_link, or revoke_mcp_tokens.

Site verification

The registration helper returns DNS TXT, uploaded-file, and meta-tag options. A site should be verified before it can be treated as owned by a MagicAuth app.