@centrali-io/centrali-mcp 4.5.2 → 4.6.0

package/README.md

@@ -4,11 +4,58 @@ MCP (Model Context Protocol) server for the Centrali platform. Lets AI assistant
 
 > **Full documentation:** [docs.centrali.io](https://docs.centrali.io) — SDK guide, API reference, compute functions, orchestrations, and more.
 
-Built on `@centrali-io/centrali-sdk` v4.4.7. Authenticates via service account client credentials.
+Built on `@centrali-io/centrali-sdk`. Supports three auth methods: **OAuth client credentials** (recommended), **OAuth browser login** (Authorization Code + PKCE), and **service account** (RBAC).
 
 ## Setup
 
-Add to your MCP client configuration (e.g., Claude Desktop, Cursor):
+### Option 1: OAuth Client Credentials (recommended)
+
+Create an OAuth app in the Console under **Settings > OAuth Apps**, select the scopes you need, then configure:
+
+```json
+{
+  "mcpServers": {
+    "centrali": {
+      "command": "npx",
+      "args": ["@centrali-io/centrali-mcp"],
+      "env": {
+        "CENTRALI_URL": "https://centrali.io",
+        "CENTRALI_OAUTH_CLIENT_ID": "<oauth-client-id>",
+        "CENTRALI_OAUTH_CLIENT_SECRET": "<oauth-client-secret>",
+        "CENTRALI_WORKSPACE": "my-workspace"
+      }
+    }
+  }
+}
+```
+
+OAuth clients use **scoped access** — the MCP can only access what the client's scopes allow.
+
+### Option 2: OAuth Browser Login (Authorization Code + PKCE)
+
+For local development where you want the agent to act as **you** (not a bot). Create a **public** OAuth app (no secret needed), and the MCP will open your browser for login:
+
+```json
+{
+  "mcpServers": {
+    "centrali": {
+      "command": "npx",
+      "args": ["@centrali-io/centrali-mcp"],
+      "env": {
+        "CENTRALI_URL": "https://centrali.io",
+        "CENTRALI_OAUTH_CLIENT_ID": "<oauth-client-id>",
+        "CENTRALI_WORKSPACE": "my-workspace"
+      }
+    }
+  }
+}
+```
+
+On first use, a browser window opens for login and consent. The token carries your user identity — audit logs show **you** performed the action, not a bot.
+
+### Option 3: Service Account (RBAC)
+
+Service accounts use **RBAC permissions** via groups and roles. You must assign the service account to a group before it can access anything.
 
 ```json
 {
@@ -32,9 +79,25 @@ Add to your MCP client configuration (e.g., Claude Desktop, Cursor):
 | Variable | Required | Description |
 |----------|----------|-------------|
 | `CENTRALI_URL` | Yes | Centrali instance URL (e.g., `https://centrali.io`) |
-| `CENTRALI_CLIENT_ID` | Yes | Service account client ID |
-| `CENTRALI_CLIENT_SECRET` | Yes | Service account client secret |
 | `CENTRALI_WORKSPACE` | Yes | Workspace slug to operate in |
+| `CENTRALI_OAUTH_CLIENT_ID` | OAuth | OAuth client ID (from Settings > OAuth Apps) |
+| `CENTRALI_OAUTH_CLIENT_SECRET` | OAuth | OAuth client secret (omit for browser flow) |
+| `CENTRALI_OAUTH_SCOPE` | No | Space-separated scopes (defaults to all allowed) |
+| `CENTRALI_CLIENT_ID` | SA | Service account client ID |
+| `CENTRALI_CLIENT_SECRET` | SA | Service account client secret |
+
+Set either the `CENTRALI_OAUTH_*` pair or the `CENTRALI_CLIENT_*` pair, not both.
+
+### OAuth Scopes
+
+When using OAuth, select the scopes your MCP workflows need:
+
+| Use case | Scopes |
+|----------|--------|
+| Read-only data access | `records:read records:list structures:list` |
+| Full data management | `records:read records:write records:list structures:read structures:list` |
+| Data + compute | Above + `compute:read compute:list compute:execute` |
+| Everything | Select all scopes when creating the OAuth app |
 
 ### Service Account Permissions
 
@@ -42,16 +105,12 @@ A freshly created service account **has no permissions by default**. You must as
 
 **Quickest setup — full admin access:**
 
-1. In the Console, go to **Settings → Service Accounts**
+1. In the Console, go to **Settings > Service Accounts**
 2. Create your service account and save the client secret
 3. Open the service account, go to the **Groups** tab
 4. Add it to the **workspace_administrators** group
 
-This gives the MCP server full access to all workspace resources.
-
-**Least-privilege setup — custom permissions:**
-
-If you only want the MCP to manage specific resources (e.g., collections and records but not billing), create a custom group with a policy scoped to the resources you need, then add the service account to that group. See the [Policies and Permissions guide](https://docs.centrali.io/authentication/policies-and-permissions/) for details.
+**Least-privilege setup:** Create a custom group with a policy scoped to the resources you need. See the [Policies and Permissions guide](https://docs.centrali.io/authentication/policies-and-permissions/) for details.
 
 ## Getting Started
 

package/dist/index.js

@@ -13,6 +13,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
 const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
 const centrali_sdk_1 = require("@centrali-io/centrali-sdk");
+const node_http_1 = require("node:http");
+const node_crypto_1 = require("node:crypto");
+const node_child_process_1 = require("node:child_process");
 const structures_js_1 = require("./tools/structures.js");
 const records_js_1 = require("./tools/records.js");
 const search_js_1 = require("./tools/search.js");
@@ -34,18 +37,219 @@ function getRequiredEnv(name) {
     }
     return value;
 }
+/**
+ * Detect auth mode from environment variables.
+ *
+ * Browser mode: Set CENTRALI_OAUTH_CLIENT_ID (no secret)
+ *   → Opens browser for Authorization Code + PKCE flow
+ *
+ * OAuth client_credentials mode: Set CENTRALI_OAUTH_CLIENT_ID + CENTRALI_OAUTH_CLIENT_SECRET
+ *   → Uses POST /oauth/token with scoped access
+ *
+ * Service account mode: Set CENTRALI_CLIENT_ID + CENTRALI_CLIENT_SECRET
+ *   → Uses OIDC client_credentials with RBAC (roles, groups, policies)
+ */
+function detectAuthMode() {
+    const oauthClientId = process.env.CENTRALI_OAUTH_CLIENT_ID;
+    const oauthClientSecret = process.env.CENTRALI_OAUTH_CLIENT_SECRET;
+    if (oauthClientId && !oauthClientSecret) {
+        return "browser";
+    }
+    if (oauthClientId && oauthClientSecret) {
+        return "oauth";
+    }
+    if (process.env.CENTRALI_CLIENT_ID && process.env.CENTRALI_CLIENT_SECRET) {
+        return "service-account";
+    }
+    console.error("Missing auth credentials. Set one of:\n" +
+        "  CENTRALI_OAUTH_CLIENT_ID (browser OAuth — Authorization Code + PKCE)\n" +
+        "  CENTRALI_OAUTH_CLIENT_ID + CENTRALI_OAUTH_CLIENT_SECRET (OAuth client_credentials)\n" +
+        "  CENTRALI_CLIENT_ID + CENTRALI_CLIENT_SECRET (service account — RBAC permissions)");
+    process.exit(1);
+}
+/** Derive the IAM auth URL from the base URL. */
+function deriveAuthUrl(baseUrl) {
+    // Direct localhost port (e.g., http://localhost:7060) — already pointing at IAM
+    if (/localhost:\d+/.test(baseUrl)) {
+        return baseUrl.replace(/\/data$/, "").replace(/\/iam$/, "");
+    }
+    // Traefik or production — prepend auth. subdomain
+    // centrali.localhost → auth.centrali.localhost
+    // centrali.io → auth.centrali.io
+    return baseUrl.replace(/^(https?:\/\/)/, "$1auth.");
+}
+/** Open a URL in the default browser (safe — no shell interpolation). */
+function openBrowser(url) {
+    const cmd = process.platform === "darwin" ? "open"
+        : process.platform === "win32" ? "cmd" : "xdg-open";
+    const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
+    (0, node_child_process_1.execFile)(cmd, args, (err) => {
+        if (err)
+            console.error(`[centrali-mcp] Could not open browser: ${err.message}`);
+    });
+}
+/** Create a token fetcher for OAuth client_credentials flow. */
+function createClientCredentialsFetcher(baseUrl, clientId, clientSecret, scope) {
+    const tokenEndpoint = `${deriveAuthUrl(baseUrl)}/oauth/token`;
+    let cachedToken = null;
+    let expiresAt = 0;
+    return () => __awaiter(this, void 0, void 0, function* () {
+        if (cachedToken && Date.now() < expiresAt - 60000)
+            return cachedToken;
+        const params = new URLSearchParams({ grant_type: "client_credentials", client_id: clientId, client_secret: clientSecret });
+        if (scope)
+            params.set("scope", scope);
+        const resp = yield fetch(tokenEndpoint, { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: params.toString() });
+        if (!resp.ok) {
+            const error = yield resp.json().catch(() => ({}));
+            throw new Error(`OAuth token request failed: ${error.error_description || resp.statusText}`);
+        }
+        const data = yield resp.json();
+        cachedToken = data.access_token;
+        expiresAt = Date.now() + data.expires_in * 1000;
+        return cachedToken;
+    });
+}
+/**
+ * Perform Authorization Code + PKCE flow via a local HTTP callback server.
+ *
+ * 1. Start a temporary HTTP server on a random port
+ * 2. Open the browser to /oauth/authorize with PKCE challenge
+ * 3. Receive the callback with the authorization code
+ * 4. Exchange the code for tokens
+ * 5. Return a getToken function that auto-refreshes via refresh_token
+ */
+function browserAuthFlow(baseUrl, clientId, scope) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const authUrl = deriveAuthUrl(baseUrl);
+        const tokenEndpoint = `${authUrl}/oauth/token`;
+        const codeVerifier = (0, node_crypto_1.randomBytes)(32).toString("base64url");
+        const codeChallenge = (0, node_crypto_1.createHash)("sha256").update(codeVerifier).digest("base64url");
+        const state = (0, node_crypto_1.randomBytes)(16).toString("hex");
+        let accessToken = null;
+        let refreshToken = null;
+        let expiresAt = 0;
+        // Wait for authorization code via local callback server
+        const { code, redirectUri } = yield new Promise((resolve, reject) => {
+            const server = (0, node_http_1.createServer)((req, res) => {
+                const url = new URL(req.url, "http://localhost");
+                if (url.pathname !== "/callback") {
+                    res.writeHead(404);
+                    res.end();
+                    return;
+                }
+                const error = url.searchParams.get("error");
+                if (error) {
+                    res.writeHead(200, { "Content-Type": "text/html" });
+                    res.end(`<h2>Authorization Failed</h2><p>${url.searchParams.get("error_description") || error}</p>`);
+                    server.close();
+                    reject(new Error(`Authorization denied: ${error}`));
+                    return;
+                }
+                if (url.searchParams.get("state") !== state) {
+                    res.writeHead(400, { "Content-Type": "text/html" });
+                    res.end("<h2>State Mismatch</h2>");
+                    server.close();
+                    reject(new Error("State mismatch — possible CSRF"));
+                    return;
+                }
+                const authCode = url.searchParams.get("code");
+                if (!authCode) {
+                    res.writeHead(400, { "Content-Type": "text/html" });
+                    res.end("<h2>Missing Code</h2>");
+                    server.close();
+                    reject(new Error("No authorization code"));
+                    return;
+                }
+                res.writeHead(200, { "Content-Type": "text/html" });
+                res.end("<h2>Authorization Successful</h2><p>You can close this window.</p><script>window.close()</script>");
+                const addr = server.address();
+                server.close();
+                resolve({ code: authCode, redirectUri: `http://localhost:${addr.port}/callback` });
+            });
+            server.listen(0, "127.0.0.1", () => {
+                const addr = server.address();
+                const callbackUri = `http://localhost:${addr.port}/callback`;
+                const authParams = new URLSearchParams({
+                    response_type: "code", client_id: clientId, redirect_uri: callbackUri,
+                    scope: scope || "",
+                    state, code_challenge: codeChallenge, code_challenge_method: "S256",
+                });
+                const authorizeUrl = `${authUrl}/oauth/authorize?${authParams.toString()}`;
+                console.error("[centrali-mcp] Opening browser for authorization...");
+                console.error(`[centrali-mcp] If the browser doesn't open, visit:\n  ${authorizeUrl}`);
+                openBrowser(authorizeUrl);
+                setTimeout(() => { server.close(); reject(new Error("Authorization timed out (5 min)")); }, 300000);
+            });
+        });
+        // Exchange authorization code for tokens
+        console.error("[centrali-mcp] Exchanging authorization code for tokens...");
+        const exchangeResp = yield fetch(tokenEndpoint, {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+                grant_type: "authorization_code", code, redirect_uri: redirectUri,
+                client_id: clientId, code_verifier: codeVerifier,
+            }).toString(),
+        });
+        if (!exchangeResp.ok) {
+            const err = yield exchangeResp.json().catch(() => ({}));
+            throw new Error(`Token exchange failed: ${err.error_description || exchangeResp.statusText}`);
+        }
+        const tokenData = yield exchangeResp.json();
+        accessToken = tokenData.access_token;
+        refreshToken = tokenData.refresh_token;
+        expiresAt = Date.now() + tokenData.expires_in * 1000;
+        console.error(`[centrali-mcp] Authorization successful (scope: ${tokenData.scope})`);
+        // Return a getToken function with auto-refresh
+        return () => __awaiter(this, void 0, void 0, function* () {
+            if (accessToken && Date.now() < expiresAt - 60000)
+                return accessToken;
+            if (refreshToken) {
+                const resp = yield fetch(tokenEndpoint, {
+                    method: "POST",
+                    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                    body: new URLSearchParams({ grant_type: "refresh_token", refresh_token: refreshToken, client_id: clientId }).toString(),
+                });
+                if (resp.ok) {
+                    const data = yield resp.json();
+                    accessToken = data.access_token;
+                    refreshToken = data.refresh_token || refreshToken;
+                    expiresAt = Date.now() + data.expires_in * 1000;
+                    return accessToken;
+                }
+            }
+            throw new Error("Token expired and refresh failed — restart the MCP server to re-authorize.");
+        });
+    });
+}
 function main() {
     return __awaiter(this, void 0, void 0, function* () {
         const baseUrl = getRequiredEnv("CENTRALI_URL");
-        const clientId = getRequiredEnv("CENTRALI_CLIENT_ID");
-        const clientSecret = getRequiredEnv("CENTRALI_CLIENT_SECRET");
         const workspaceId = getRequiredEnv("CENTRALI_WORKSPACE");
-        const sdk = new centrali_sdk_1.CentraliSDK({
-            baseUrl,
-            workspaceId,
-            clientId,
-            clientSecret,
-        });
+        const authMode = detectAuthMode();
+        let sdk;
+        if (authMode === "browser") {
+            const clientId = getRequiredEnv("CENTRALI_OAUTH_CLIENT_ID");
+            const scope = process.env.CENTRALI_OAUTH_SCOPE;
+            const getToken = yield browserAuthFlow(baseUrl, clientId, scope);
+            sdk = new centrali_sdk_1.CentraliSDK({ baseUrl, workspaceId, getToken });
+            console.error(`[centrali-mcp] Ready — browser OAuth (client: ${clientId})`);
+        }
+        else if (authMode === "oauth") {
+            const clientId = getRequiredEnv("CENTRALI_OAUTH_CLIENT_ID");
+            const clientSecret = getRequiredEnv("CENTRALI_OAUTH_CLIENT_SECRET");
+            const scope = process.env.CENTRALI_OAUTH_SCOPE;
+            const getToken = createClientCredentialsFetcher(baseUrl, clientId, clientSecret, scope);
+            sdk = new centrali_sdk_1.CentraliSDK({ baseUrl, workspaceId, getToken });
+            console.error(`[centrali-mcp] Ready — OAuth client_credentials (client: ${clientId})`);
+        }
+        else {
+            const clientId = getRequiredEnv("CENTRALI_CLIENT_ID");
+            const clientSecret = getRequiredEnv("CENTRALI_CLIENT_SECRET");
+            sdk = new centrali_sdk_1.CentraliSDK({ baseUrl, workspaceId, clientId, clientSecret });
+            console.error(`[centrali-mcp] Ready — service account / RBAC (client: ${clientId})`);
+        }
         const server = new mcp_js_1.McpServer({
             name: "centrali",
             version: "1.0.0",
@@ -62,7 +266,7 @@ function main() {
         (0, validation_js_1.registerValidationTools)(server, sdk);
         (0, pages_js_1.registerPageTools)(server, sdk, baseUrl, workspaceId);
         (0, auth_providers_js_1.registerAuthProviderTools)(server, sdk, baseUrl, workspaceId);
-        (0, service_accounts_js_1.registerServiceAccountTools)(server, sdk, baseUrl, workspaceId, clientId);
+        (0, service_accounts_js_1.registerServiceAccountTools)(server, sdk, baseUrl, workspaceId, authMode === "service-account" ? getRequiredEnv("CENTRALI_CLIENT_ID") : (process.env.CENTRALI_OAUTH_CLIENT_ID || ""));
         (0, describe_js_1.registerDescribeTools)(server);
         // Register resources
         (0, structures_js_2.registerCollectionResources)(server, sdk);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@centrali-io/centrali-mcp",
-  "version": "4.5.2",
+  "version": "4.6.0",
   "description": "Centrali MCP Server - AI assistant integration for Centrali workspaces",
   "main": "dist/index.js",
   "type": "commonjs",

package/src/index.ts

@@ -3,6 +3,9 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CentraliSDK } from "@centrali-io/centrali-sdk";
+import { createServer } from "node:http";
+import { randomBytes, createHash } from "node:crypto";
+import { execFile } from "node:child_process";
 import { registerStructureTools, registerCollectionTools } from "./tools/structures.js";
 import { registerRecordTools } from "./tools/records.js";
 import { registerSearchTools } from "./tools/search.js";
@@ -26,18 +29,234 @@ function getRequiredEnv(name: string): string {
   return value;
 }
 
+/**
+ * Detect auth mode from environment variables.
+ *
+ * Browser mode: Set CENTRALI_OAUTH_CLIENT_ID (no secret)
+ *   → Opens browser for Authorization Code + PKCE flow
+ *
+ * OAuth client_credentials mode: Set CENTRALI_OAUTH_CLIENT_ID + CENTRALI_OAUTH_CLIENT_SECRET
+ *   → Uses POST /oauth/token with scoped access
+ *
+ * Service account mode: Set CENTRALI_CLIENT_ID + CENTRALI_CLIENT_SECRET
+ *   → Uses OIDC client_credentials with RBAC (roles, groups, policies)
+ */
+function detectAuthMode(): "browser" | "oauth" | "service-account" {
+  const oauthClientId = process.env.CENTRALI_OAUTH_CLIENT_ID;
+  const oauthClientSecret = process.env.CENTRALI_OAUTH_CLIENT_SECRET;
+
+  if (oauthClientId && !oauthClientSecret) {
+    return "browser";
+  }
+  if (oauthClientId && oauthClientSecret) {
+    return "oauth";
+  }
+  if (process.env.CENTRALI_CLIENT_ID && process.env.CENTRALI_CLIENT_SECRET) {
+    return "service-account";
+  }
+
+  console.error(
+    "Missing auth credentials. Set one of:\n" +
+    "  CENTRALI_OAUTH_CLIENT_ID (browser OAuth — Authorization Code + PKCE)\n" +
+    "  CENTRALI_OAUTH_CLIENT_ID + CENTRALI_OAUTH_CLIENT_SECRET (OAuth client_credentials)\n" +
+    "  CENTRALI_CLIENT_ID + CENTRALI_CLIENT_SECRET (service account — RBAC permissions)"
+  );
+  process.exit(1);
+}
+
+/** Derive the IAM auth URL from the base URL. */
+function deriveAuthUrl(baseUrl: string): string {
+  // Direct localhost port (e.g., http://localhost:7060) — already pointing at IAM
+  if (/localhost:\d+/.test(baseUrl)) {
+    return baseUrl.replace(/\/data$/, "").replace(/\/iam$/, "");
+  }
+  // Traefik or production — prepend auth. subdomain
+  // centrali.localhost → auth.centrali.localhost
+  // centrali.io → auth.centrali.io
+  return baseUrl.replace(/^(https?:\/\/)/, "$1auth.");
+}
+
+/** Open a URL in the default browser (safe — no shell interpolation). */
+function openBrowser(url: string): void {
+  const cmd = process.platform === "darwin" ? "open"
+            : process.platform === "win32" ? "cmd" : "xdg-open";
+  const args = process.platform === "win32" ? ["/c", "start", "", url] : [url];
+  execFile(cmd, args, (err) => {
+    if (err) console.error(`[centrali-mcp] Could not open browser: ${err.message}`);
+  });
+}
+
+/** Create a token fetcher for OAuth client_credentials flow. */
+function createClientCredentialsFetcher(baseUrl: string, clientId: string, clientSecret: string, scope?: string) {
+  const tokenEndpoint = `${deriveAuthUrl(baseUrl)}/oauth/token`;
+  let cachedToken: string | null = null;
+  let expiresAt = 0;
+
+  return async (): Promise<string> => {
+    if (cachedToken && Date.now() < expiresAt - 60_000) return cachedToken;
+
+    const params = new URLSearchParams({ grant_type: "client_credentials", client_id: clientId, client_secret: clientSecret });
+    if (scope) params.set("scope", scope);
+
+    const resp = await fetch(tokenEndpoint, { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: params.toString() });
+    if (!resp.ok) {
+      const error = await resp.json().catch(() => ({}));
+      throw new Error(`OAuth token request failed: ${error.error_description || resp.statusText}`);
+    }
+    const data = await resp.json();
+    cachedToken = data.access_token;
+    expiresAt = Date.now() + data.expires_in * 1000;
+    return cachedToken!;
+  };
+}
+
+/**
+ * Perform Authorization Code + PKCE flow via a local HTTP callback server.
+ *
+ * 1. Start a temporary HTTP server on a random port
+ * 2. Open the browser to /oauth/authorize with PKCE challenge
+ * 3. Receive the callback with the authorization code
+ * 4. Exchange the code for tokens
+ * 5. Return a getToken function that auto-refreshes via refresh_token
+ */
+async function browserAuthFlow(baseUrl: string, clientId: string, scope?: string): Promise<() => Promise<string>> {
+  const authUrl = deriveAuthUrl(baseUrl);
+  const tokenEndpoint = `${authUrl}/oauth/token`;
+
+  const codeVerifier = randomBytes(32).toString("base64url");
+  const codeChallenge = createHash("sha256").update(codeVerifier).digest("base64url");
+  const state = randomBytes(16).toString("hex");
+
+  let accessToken: string | null = null;
+  let refreshToken: string | null = null;
+  let expiresAt = 0;
+
+  // Wait for authorization code via local callback server
+  const { code, redirectUri } = await new Promise<{ code: string; redirectUri: string }>((resolve, reject) => {
+    const server = createServer((req, res) => {
+      const url = new URL(req.url!, "http://localhost");
+      if (url.pathname !== "/callback") { res.writeHead(404); res.end(); return; }
+
+      const error = url.searchParams.get("error");
+      if (error) {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(`<h2>Authorization Failed</h2><p>${url.searchParams.get("error_description") || error}</p>`);
+        server.close();
+        reject(new Error(`Authorization denied: ${error}`));
+        return;
+      }
+
+      if (url.searchParams.get("state") !== state) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end("<h2>State Mismatch</h2>");
+        server.close();
+        reject(new Error("State mismatch — possible CSRF"));
+        return;
+      }
+
+      const authCode = url.searchParams.get("code");
+      if (!authCode) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end("<h2>Missing Code</h2>");
+        server.close();
+        reject(new Error("No authorization code"));
+        return;
+      }
+
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end("<h2>Authorization Successful</h2><p>You can close this window.</p><script>window.close()</script>");
+
+      const addr = server.address() as { port: number };
+      server.close();
+      resolve({ code: authCode, redirectUri: `http://localhost:${addr.port}/callback` });
+    });
+
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address() as { port: number };
+      const callbackUri = `http://localhost:${addr.port}/callback`;
+      const authParams = new URLSearchParams({
+        response_type: "code", client_id: clientId, redirect_uri: callbackUri,
+        scope: scope || "",
+        state, code_challenge: codeChallenge, code_challenge_method: "S256",
+      });
+      const authorizeUrl = `${authUrl}/oauth/authorize?${authParams.toString()}`;
+      console.error("[centrali-mcp] Opening browser for authorization...");
+      console.error(`[centrali-mcp] If the browser doesn't open, visit:\n  ${authorizeUrl}`);
+      openBrowser(authorizeUrl);
+      setTimeout(() => { server.close(); reject(new Error("Authorization timed out (5 min)")); }, 300_000);
+    });
+  });
+
+  // Exchange authorization code for tokens
+  console.error("[centrali-mcp] Exchanging authorization code for tokens...");
+  const exchangeResp = await fetch(tokenEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code", code, redirect_uri: redirectUri,
+      client_id: clientId, code_verifier: codeVerifier,
+    }).toString(),
+  });
+
+  if (!exchangeResp.ok) {
+    const err = await exchangeResp.json().catch(() => ({}));
+    throw new Error(`Token exchange failed: ${err.error_description || exchangeResp.statusText}`);
+  }
+
+  const tokenData = await exchangeResp.json();
+  accessToken = tokenData.access_token;
+  refreshToken = tokenData.refresh_token;
+  expiresAt = Date.now() + tokenData.expires_in * 1000;
+  console.error(`[centrali-mcp] Authorization successful (scope: ${tokenData.scope})`);
+
+  // Return a getToken function with auto-refresh
+  return async (): Promise<string> => {
+    if (accessToken && Date.now() < expiresAt - 60_000) return accessToken;
+
+    if (refreshToken) {
+      const resp = await fetch(tokenEndpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({ grant_type: "refresh_token", refresh_token: refreshToken!, client_id: clientId }).toString(),
+      });
+      if (resp.ok) {
+        const data = await resp.json();
+        accessToken = data.access_token;
+        refreshToken = data.refresh_token || refreshToken;
+        expiresAt = Date.now() + data.expires_in * 1000;
+        return accessToken!;
+      }
+    }
+    throw new Error("Token expired and refresh failed — restart the MCP server to re-authorize.");
+  };
+}
+
 async function main() {
   const baseUrl = getRequiredEnv("CENTRALI_URL");
-  const clientId = getRequiredEnv("CENTRALI_CLIENT_ID");
-  const clientSecret = getRequiredEnv("CENTRALI_CLIENT_SECRET");
   const workspaceId = getRequiredEnv("CENTRALI_WORKSPACE");
+  const authMode = detectAuthMode();
 
-  const sdk = new CentraliSDK({
-    baseUrl,
-    workspaceId,
-    clientId,
-    clientSecret,
-  });
+  let sdk: CentraliSDK;
+
+  if (authMode === "browser") {
+    const clientId = getRequiredEnv("CENTRALI_OAUTH_CLIENT_ID");
+    const scope = process.env.CENTRALI_OAUTH_SCOPE;
+    const getToken = await browserAuthFlow(baseUrl, clientId, scope);
+    sdk = new CentraliSDK({ baseUrl, workspaceId, getToken });
+    console.error(`[centrali-mcp] Ready — browser OAuth (client: ${clientId})`);
+  } else if (authMode === "oauth") {
+    const clientId = getRequiredEnv("CENTRALI_OAUTH_CLIENT_ID");
+    const clientSecret = getRequiredEnv("CENTRALI_OAUTH_CLIENT_SECRET");
+    const scope = process.env.CENTRALI_OAUTH_SCOPE;
+    const getToken = createClientCredentialsFetcher(baseUrl, clientId, clientSecret, scope);
+    sdk = new CentraliSDK({ baseUrl, workspaceId, getToken });
+    console.error(`[centrali-mcp] Ready — OAuth client_credentials (client: ${clientId})`);
+  } else {
+    const clientId = getRequiredEnv("CENTRALI_CLIENT_ID");
+    const clientSecret = getRequiredEnv("CENTRALI_CLIENT_SECRET");
+    sdk = new CentraliSDK({ baseUrl, workspaceId, clientId, clientSecret });
+    console.error(`[centrali-mcp] Ready — service account / RBAC (client: ${clientId})`);
+  }
 
   const server = new McpServer({
     name: "centrali",
@@ -56,7 +275,7 @@ async function main() {
   registerValidationTools(server, sdk);
   registerPageTools(server, sdk, baseUrl, workspaceId);
   registerAuthProviderTools(server, sdk, baseUrl, workspaceId);
-  registerServiceAccountTools(server, sdk, baseUrl, workspaceId, clientId);
+  registerServiceAccountTools(server, sdk, baseUrl, workspaceId, authMode === "service-account" ? getRequiredEnv("CENTRALI_CLIENT_ID") : (process.env.CENTRALI_OAUTH_CLIENT_ID || ""));
   registerDescribeTools(server);
 
   // Register resources