Reference

Authentication

OAuth, bearer tokens, how credentials are stored per platform, and what to do when a token goes stale.

NotFair supports two auth methods per server: OAuth 2.0 with PKCE (recommended) and bearer tokens.

OAuth 2.0 (recommended)

Claude.ai and Codex run the OAuth flow automatically — you approve once in the browser and the client stores the token. This is the path most clients should use.

Bearer tokens

For clients that don’t support OAuth, generate a token at notfair.co/connect and send it in the Authorization header. Tokens are scoped to one platform resource and one workspace.

Upstream credentials

Behind the scenes, each platform connection stores the upstream credential NotFair needs to call that API — a refresh token, a long-lived access token, or an OAuth 1.0a token pair, depending on the platform. You never handle these directly.

If a platform token goes stale (revoked, expired, or scope changed), tools return a reconnect error pointing at the platform’s manage page. Re-authorizing there fixes it — re-adding the MCP server does not.