Connecting to Onboard MCP
How to connect desktop tools, Claude, and the MCP Inspector to hosted Onboard MCP—URLs, API keys, OAuth Client ID from Integrations, and production reference.
This page is the customer-facing connection guide for hosted MCP. For production URLs and API keys, start with MCP setup. For permissions and reviews, see Security & permissions (MCP).
Quick checklist
- Base URL — Production hosted MCP lives on
https://rest.onboard.io(paths under/mcp/). Your company may use staging (for examplehttps://dev-rest.onboard.io); use whatever your Onboard team confirms. - Single “MCP URL” in the client — In most UIs, enter the SSE endpoint:
…/mcp/ssewith no trailing slash (see MCP setup). - Authentication
- Default: your Onboard API key from Settings → Integrations → API (same key class as the REST API), in the field the client labels Token, API key, or Bearer.
- OAuth (where enabled): some clients (for example Claude custom
connectors) only support OAuth, not custom headers. Your tenant must have
hosted MCP OAuth configured on the server; then you sign in with your
identity provider (for example Auth0) and the client sends an access token
as
Authorization: Bearer. Your Onboard user still needs a DRF API token for tools that call the REST API—create one under Integrations → API if tools return auth errors after OAuth succeeds.
Authentication at a glance
| Method | Typical clients | Who gets access |
|---|---|---|
| API key | Amazon Quick, Cursor, Raycast, Gemini, cURL, many desktop MCP configs | Admin sets one key; everyone on that MCP/chat surface uses it (org-wide) |
| OAuth 2.0 | Claude / Anthropic custom connectors, Claude org MCP, OpenAI Agents | Admin registers connector; each user signs in (Anthropic auth model—no shared API-key field) |
API key: paste from Integrations → API into X-Onboard-Api-Token, Bearer, or Token per client docs.
OAuth: Client ID from Integrations → API (signed in); optional Client secret in Advanced; each person completes browser login. Hosted MCP OAuth must be enabled on your tenant.
Full comparison (rotation, least privilege, Claude vs API-key clients): Security & permissions (MCP). Client matrix: MCP desktop clients.
If you are unsure which mode your environment uses, ask your Onboard admin or success contact.
MCP Inspector (local testing)
The official Model Context Protocol Inspector helps verify HTTP/SSE against a running API (for example your laptop running Django, or staging).
- Start the Onboard REST API with MCP routes enabled (or use staging).
- In Inspector, set the server URL to your SSE endpoint, for example
http://127.0.0.1:8000/mcp/sseorhttps://dev-rest.onboard.io/mcp/sse. - If your server requires an API key only, add the header or field your build of Inspector exposes (often Bearer with the API key).
- If your server exposes OAuth (401 with
WWW-Authenticateand metadata), use Inspector’s OAuth 2.0 Flow section (or equivalent).
OAuth Client ID (production)
Recommended (best practice): Sign in to Onboard as a user who can manage integrations, then open Settings → Integrations → API. Copy the OAuth Client ID (or MCP / connector Client ID—exact label may vary by release) shown on that page. That way you are authenticated as an Onboard customer and you use the value Onboard intends for your organization.
Public Client ID reference
Onboard’s production MCP connector uses this public (non-secret)
Client ID: ZveOw2SFMAdDDCfR1vLV7Cqhwy93Lu09. You may paste it into Claude
“Advanced” or MCP Inspector when the field expects a Client ID. If the value
on Integrations → API (signed in) ever differs from this, use the value from
the app—it reflects your environment and any future rotation.
OAuth 2.0 Flow fields (Inspector)
| Field | What to enter |
|---|---|
| Client ID | Prefer copying from Integrations → API while signed in to Onboard. Otherwise use the production reference ID in the callout above if it matches what you see in the app. |
| Client secret | Only if your OAuth app is confidential; leave empty for public / PKCE clients. |
| Redirect URL | Keep Inspector’s default (for example http://localhost:6274/oauth/). That exact URL must be listed under Allowed Callback URLs in your OAuth app (Auth0 or equivalent). |
| Scope | Start with openid profile email. If access tokens fail server validation, your team may need an audience / API scope aligned with the REST API—ask the engineer who configured MCP OAuth. |
Do not paste production API keys or client secrets into screenshots, support tickets, or public channels.
Claude (Desktop vs web)
- Claude Desktop — remote MCP URL + API key pattern: MCP on Claude Desktop.
- Claude web — Custom connectors — often OAuth only (Advanced: Client
ID / optional secret). Use the Client ID from Integrations → API while signed in, or the production reference on Connecting to Onboard MCP. Callback on hosted Claude:
https://claude.ai/api/mcp/auth_callbackmust be allowed in your OAuth app (see Anthropic’s connector authentication docs).
After you connect
- Confirm tools/list or the client’s tool panel shows Onboard tools.
- Run a read-only tool first (for example a list or search) before anything that creates or updates customer data.
- Follow Security checklist for production rollout.
Related
- MCP setup — canonical URLs and endpoint table
- MCP desktop clients — per-app guides
- Authentication — REST API tokens (same family as MCP API key)
- MCP overview — curriculum and positioning
How is this guide?