Skip to main content

Authenticate

Some MCP servers require authentication before they can be used. Bloque supports two mechanisms: OAuth and credential-based authentication.

OAuth

For MCP servers that use OAuth (for example, GitHub or Slack), Bloque handles the token exchange on your behalf.

  1. Go to MCP Servers.
  2. Click Authenticate on the server card in the list.
  3. You are redirected to the provider's authorization page.
  4. After granting access, the access token and refresh token are stored encrypted in your Hub.

Bloque refreshes expired tokens automatically, so you only need to authenticate once.

Credentials and environment variables

For servers that use API keys, passwords, or other static secrets, you supply them as environment variables when configuring the server (or on the server detail page after adding it).

Credentials are stored encrypted with AES-256-GCM, isolated per Hub. They are decrypted only at runtime inside the MCP Proxy and are never returned in plain text through the API.

When you share a server, each credential value can be individually redacted so that recipients see the field name but not the value. They fill in their own credentials after installing the shared Hub.

Re-authentication

If an OAuth token is revoked by the provider, or if credentials change, you can re-authenticate at any time from the server detail page. Existing MCP Proxy sessions pick up the new token on the next connection.