Authentication & registration
Guide

Authentication & registration

JetHost MCP uses OAuth 2.1 with Dynamic Client Registration (RFC 7591) and PKCE. AI clients register themselves and obtain a scoped token after you approve a consent screen inside your JetHost MCP account.

OAuth 2.1PKCE requiredDynamic Client Registration

Endpoints #

Clients auto-configure from the two discovery documents — no manual setup. The protected-resource document points to the authorization server, which advertises the rest.

PurposeURL
Discovery — protected resourceGET https://mcp.jethost.com/.well-known/oauth-protected-resource
Discovery — authorization serverGET https://mcp.jethost.com/.well-known/oauth-authorization-server
Registration (DCR)POST https://jethost.com/app/index.php?m=jethost_mcp_oauth&action=register
MCP transportPOST https://mcp.jethost.com/mcp
AuthorizationGET https://jethost.com/app/index.php?m=jethost_mcp_oauth&action=authorize
TokenPOST https://jethost.com/app/index.php?m=jethost_mcp_oauth&action=token
JWKSGET https://jethost.com/app/index.php?m=jethost_mcp_oauth&action=jwks
Token revocationPOST https://jethost.com/app/index.php?m=jethost_mcp_oauth&action=revoke
Manage tokensGET https://jethost.com/app/index.php?m=jethost_mcp_oauth&action=manage_tokens

Server metadata #

Advertised by /.well-known/oauth-authorization-server (RFC 8414):

issuerhttps://jethost.com/app
scopes_supported12 scopes (see below)
response_types_supportedcode
grant_types_supportedauthorization_code, refresh_token
code_challenge_methods_supportedS256 — PKCE required
token_endpoint_auth_methods_supportednone — public clients
registrationopen · RFC 7591 Dynamic Client Registration

How connecting works #

  • The client fetches the discovery documents (/.well-known/oauth-protected-resource/.well-known/oauth-authorization-server), then registers itself at the Registration endpoint via Dynamic Client Registration — no manual client_id setup.
  • It opens the Authorization URL; you sign in to JetHost MCP (reusing your existing session and 2FA) and approve the requested scopes on a consent screen.
  • The client exchanges the authorization code (with its PKCE verifier) at the Token endpoint for a short-lived access token (15 min) and a rolling refresh token (30 days).
  • Every MCP call sends Authorization: Bearer <access_token>. The server verifies the RS256 JWT against the JWKS and enforces scope + ownership on each tool.
  • You can review and revoke tokens anytime from Manage tokens.

Scopes #

Each tool requires one scope. A client requests only the scopes it needs; you approve them on the consent screen.

ScopeGrants
cpanel:uapiManage your hosting account via cPanel — read and change settings on the cPanel features JetHost has enabled (this can modify your account)
generate_deploy_key list_cpanel_operations get_cpanel_module cpanel_uapi
read:analyticsRead your websites' traffic statistics and visitor analytics
get_website_statistics
read:deployView the deployment status and history of your websites
get_deploy_status get_private_repo_deploy_status
read:domain_catalogCheck domain availability and get EUR pricing from JetHost's catalog
check_domain_availability suggest_domains
read:domainsView your registered domains and their details
list_domains get_domain get_domain_nameservers get_domain_whois
read:invoicesView your invoices and billing history
list_invoices get_invoice search_invoices find_invoices_by_relation
read:logsRead your websites' access logs and PHP error logs
get_website_logs
read:product_catalogView JetHost's hosting plans with EUR pricing
list_hosting_plans get_hosting_plan
read:servicesView your hosting services
list_services get_service get_service_usage
read:ticketsView your support tickets and conversation history
list_tickets get_ticket
read:websitesView the domains and document roots hosted on your hosting accounts
list_website_domains
write:deployDeploy websites from a git repository — a public URL or a private SSH repo — to your hosting (overwrites the target site)
deploy_site_from_url deploy_private_repo