Clients without built-in OAuth

Most MCP clients sign in with OAuth — point them at https://gateway.ansvar.eu/mcp and approve the browser login. Those recipes live on the Setup page. This page is for the clients that can't do that: ones that only accept a fixed Authorization header, or that run on a server with no browser.

A pasted token on its own won't hold — every token the gateway issues is short-lived and expires within minutes, and these clients don't refresh. The fix depends on whether your client can run a small local helper.

Clients that can run a local helper

AnythingLLM Desktop and custom scripts can launch a local command. Use mcp-remote, a community helper that performs the OAuth login and token refresh on the client's behalf and exposes the gateway as a local server. Your client talks to the helper; the helper talks to Ansvar. This removes the expiry problem entirely — it runs in OAuth mode, not as a static header.

Requires Node.js 18+. In AnythingLLM, edit plugins/anythingllm_mcp_servers.json (or Settings → Agent Skills → MCP Servers):

{
  "mcpServers": {
    "ansvar": {
      "command": "npx",
      "args": ["-y", "mcp-remote@0.1.38", "https://gateway.ansvar.eu/mcp"],
      "env": {}
    }
  }
}

On first start your browser opens to the Ansvar login; after that it reconnects on its own. For long-running unattended setups, request a longer-lived refresh with the offline_access scope:

"args": [
  "-y", "mcp-remote@0.1.38", "https://gateway.ansvar.eu/mcp",
  "--static-oauth-client-metadata", "{\"scope\":\"mcp:tools offline_access\"}"
]

Custom code

Writing your own client? Use the MCP SDK and pass your own OAuth access token as a Bearer header to https://gateway.ansvar.eu/mcp. Obtain it via OAuth 2.1 Authorization Code + PKCE against auth.ansvar.eu/realms/ansvar, and refresh it yourself — access tokens are short-lived.

Headless and static-header-only clients

Some clients can't use the helper — they connect over HTTP with a fixed header and can't run a local command, or they run on a server with no browser for the one-time login. This includes n8n, Open WebUI, AnythingLLM in Docker, and CI/CD jobs. These need a scoped, revocable service credential rather than a browser login.

Troubleshooting

  • 401 / "Authentication required" on connect — the client sent no valid login. Use the helper above, or contact us for a service credential.
  • Works for a few minutes, then 401s — a static token expired. Use the helper's OAuth mode, which refreshes; don't paste a token.
  • 404 at the endpoint — the MCP endpoint is https://gateway.ansvar.eu/mcp, not the bare host.
  • Cryptic node:fs/promises crash — the client launched npx under an old Node. Install Node 18+ and make sure it's first on the client's PATH.