Guide
Authentication & registration
JetHost MCP uses OAuth 2.1 with Dynamic Client Registration (RFC 7591) and PKCE. AI clients register themselves and obtain a scoped token after you approve a consent screen inside your JetHost MCP account.
OAuth 2.1PKCE requiredDynamic Client Registration
Endpoints #
Clients auto-configure from the two discovery documents — no manual setup. The protected-resource document points to the authorization server, which advertises the rest.
| Purpose | URL |
|---|---|
| Discovery — protected resource | GET https://mcp.jethost.bg/.well-known/oauth-protected-resource |
| Discovery — authorization server | GET https://mcp.jethost.bg/.well-known/oauth-authorization-server |
| Registration (DCR) | POST https://jethost.bg/app/index.php?m=jethost_mcp_oauth&action=register |
| MCP transport | POST https://mcp.jethost.bg/mcp |
| Authorization | GET https://jethost.bg/app/index.php?m=jethost_mcp_oauth&action=authorize |
| Token | POST https://jethost.bg/app/index.php?m=jethost_mcp_oauth&action=token |
| JWKS | GET https://jethost.bg/app/index.php?m=jethost_mcp_oauth&action=jwks |
| Token revocation | POST https://jethost.bg/app/index.php?m=jethost_mcp_oauth&action=revoke |
| Manage tokens | GET https://jethost.bg/app/index.php?m=jethost_mcp_oauth&action=manage_tokens |
Server metadata #
Advertised by /.well-known/oauth-authorization-server (RFC 8414):
| issuer | https://jethost.bg/app |
| scopes_supported | 12 scopes (see below) |
| response_types_supported | code |
| grant_types_supported | authorization_code, refresh_token |
| code_challenge_methods_supported | S256 — PKCE required |
| token_endpoint_auth_methods_supported | none — public clients |
| registration | open · RFC 7591 Dynamic Client Registration |
How connecting works #
- The client fetches the discovery documents (/.well-known/oauth-protected-resource → /.well-known/oauth-authorization-server), then registers itself at the Registration endpoint via Dynamic Client Registration — no manual client_id setup.
- It opens the Authorization URL; you sign in to JetHost MCP (reusing your existing session and 2FA) and approve the requested scopes on a consent screen.
- The client exchanges the authorization code (with its PKCE verifier) at the Token endpoint for a short-lived access token (15 min) and a rolling refresh token (30 days).
- Every MCP call sends Authorization: Bearer <access_token>. The server verifies the RS256 JWT against the JWKS and enforces scope + ownership on each tool.
- You can review and revoke tokens anytime from Manage tokens.
Scopes #
Each tool requires one scope. A client requests only the scopes it needs; you approve them on the consent screen.
| Scope | Grants |
|---|---|
| cpanel:uapi | Manage your hosting account via cPanel — read and change settings on the cPanel features JetHost has enabled (this can modify your account) generate_deploy_key list_cpanel_operations get_cpanel_module cpanel_uapi |
| read:analytics | Read your websites' traffic statistics and visitor analytics get_website_statistics |
| read:deploy | View the deployment status and history of your websites get_deploy_status get_private_repo_deploy_status |
| read:domain_catalog | Check domain availability and get EUR pricing from JetHost's catalog check_domain_availability suggest_domains |
| read:domains | View your registered domains and their details list_domains get_domain get_domain_nameservers get_domain_whois |
| read:invoices | View your invoices and billing history list_invoices get_invoice search_invoices find_invoices_by_relation |
| read:logs | Read your websites' access logs and PHP error logs get_website_logs |
| read:product_catalog | View JetHost's hosting plans with EUR pricing list_hosting_plans get_hosting_plan |
| read:services | View your hosting services list_services get_service get_service_usage |
| read:tickets | View your support tickets and conversation history list_tickets get_ticket |
| read:websites | View the domains and document roots hosted on your hosting accounts list_website_domains |
| write:deploy | Deploy websites from a git repository — a public URL or a private SSH repo — to your hosting (overwrites the target site) deploy_site_from_url deploy_private_repo |