What it does
Every Activepieces project can act as an MCP server — a place an AI can connect to in order to run that project’s flows. When you embed Activepieces, your users log in through your app, not Activepieces. So they can’t use the normal “connect your AI” screen (it would ask them to log in to Activepieces, which they can’t). Embeddable MCP fixes that. Your user clicks one Authorize button inside your app, and your backend gets a token it can use to run that user’s automations through AI. Who does what:- Your backend runs the connect steps and keeps the token.
- Your user just clicks Authorize in a small popup inside your app.
- Activepieces checks everything and gives back a token for that one user’s project.
It’s normal OAuth. The only Activepieces-specific part is one SDK call (
authorizeMcp) that shows the Authorize popup inside your app.Quick token (no OAuth)
If you don’t need the full OAuth flow — you just want a token to point an AI at the embedded user’s project — callgenerateMcpToken() from the frontend. It uses the embed session you already configured, so there’s no app registration, no PKCE, and no popup.
- is scoped to that user’s project (the
externalProjectIdin their embed JWT), - works for 15 minutes — call
generateMcpToken()again to get a fresh one.
Use this when your app holds the MCP client and the embedded user is already signed in through the SDK. Use the OAuth flow below when a separate third-party app needs long-lived, revocable access on the user’s behalf (it returns a refresh token).
Before you start
Embedding should already work for you:- You created a signing key.
- Your backend signs a user token (JWT).
- Your frontend called
activepieces.configure({ jwtToken, instanceUrl, … }).
INSTANCE_URL is your Activepieces address (like https://app.your-company.com).
The whole idea in 6 steps
- Register your app once → you get a
client_id. - Make two random codes (a “verifier” and a “challenge”).
- Ask Activepieces to start a connection → you get an
authRequestId. - Show the Authorize popup in your app → the user clicks Authorize → you get a
code. - Trade the
codefor a token. - Use the token to run the user’s flows.
Steps
1. Register your app (only once)
This tells Activepieces who your app is. Save the You get back a
client_id — it’s the same for all users.client_id.2. Make two random codes
Make a random
codeVerifier, then turn it into a codeChallenge. Keep the verifier for step 5.3. Get an authRequestId
Call
/authorize. It doesn’t reply with data — it redirects. Don’t follow the redirect; just read the authRequestId from the redirect address.4. Show the Authorize popup
Send the
authRequestId to your frontend and pass it to the SDK. A popup shows up inside your app and the user clicks Authorize.5. Trade the code for a token
On your backend, swap the Save the
code (plus the codeVerifier from step 2) for a token.refresh_token for this user. The access_token works for 15 minutes; the refresh_token gets you new ones and can be turned off anytime.Get a new token / disconnect
Get a fresh token when the 15-minute one expires:Optional: let users manage their MCP
Add a button so users can see their connection and turn tools on or off — inside your app:Good to know
- Use the same
redirect_urieverywhere (register,/authorize,/token). If it differs, it’s rejected. authRequestIdlasts 10 minutes — make it right before the popup.- The token is only for that one user’s project — that’s how users stay separate.
- Cursor and Claude Desktop are different. Those are tools a user installs and connects themselves, so they don’t use this popup. Embeddable MCP is for the AI your app runs for the user.