ComplyHat uses OAuth 2.1 with Dynamic Client Registration (RFC 7591) backed by Supabase Auth OAuth Server. Every supported host (Claude Code, Claude Desktop, Codex Desktop, Codex CLI, OpenClaw, NemoClaw) handles the entire flow without setup on your side. You see one consent screen the first time you connect; the host does the rest.Documentation Index
Fetch the complete documentation index at: https://docs.complyhat.ai/llms.txt
Use this file to discover all available pages before exploring further.
What happens when you connect
Registration and consent
The host registers itself via DCR; your browser opens to
https://complyhat.ai/oauth/consent. Sign in, pick an organization, approve.Scopes
Hosts request the OIDC standard set:openid email. That is the only set the authorization server (Supabase Auth OAuth Server) issues today, and it is what /.well-known/oauth-protected-resource advertises:
organization_id from their token’s sub claim and filters all data reads and writes through that org context. The same boundary the web dashboard uses applies to MCP , there is no second authorization layer to configure.
If you’ve seen older docs referencing fine-grained scopes like wiki:write or models:read, those were planned for a future Custom Access Token Hook and are not currently issued by Supabase OAuth Server. They will reappear here only if and when that hook is enabled.
When auth fails
A request without a valid bearer token returns401 Unauthorized with a WWW-Authenticate header per RFC 6750:
resource_metadata, run discovery, and re-authenticate without further intervention.