OAuth 2.0 at greyout
greyout is a standard OAuth 2.0 Authorization Server. Three grant flows are
supported. Discovery is published at
/.well-known/oauth-authorization-server
per RFC 8414 — most modern clients need no per-server config beyond the
issuer URL.
supported flows
| grant_type | use case |
|---|---|
| authorization_code | browser-based MCP clients (PKCE, S256 only) |
| device_code | terminal CLIs, headless tooling (RFC 8628) |
| refresh_token | silent token rotation (180-day refresh TTL) |
scopes
- projects:read — read projects, monitors, and check status
- projects:write — create, update, delete projects
- incidents:read — read incident history
- cron:write — mint scheduled-job ping endpoints
- billing:authorize — authorize plan upgrades within a per-device cap
dynamic client registration
Public clients can register themselves at
POST /oauth/register (RFC 7591).
Only PKCE (token_endpoint_auth_method=none) is
accepted; we do not issue client secrets. Auto-registered clients are tagged
as (unverified) on the Authorize page so users always see the
distinction from first-party integrations.
token shape
gro_acc_<public_id>.<secret> # access (1h TTL) gro_ref_<public_id>.<secret> # refresh (180d TTL, rotates per use)
Replay of a rotated refresh token revokes the entire chain — the legitimate caller has to re-authenticate. This catches leaked refresh tokens hard.
For the MCP endpoint specifically, see the MCP integration docs.