| Role | URL |
|---|---|
| Resource server (the MCP server) | https://mcp.langmail.me |
| Authorization server (Langmail’s identity service) | https://auth.langmail.me |
| Login page (unauthenticated users land here) | https://app.langmail.me/login |
The flow
The first request gets a 401
A request to
https://mcp.langmail.me/mcp without a bearer token returns 401 with a pointer to the resource metadata:Response header
Discover the authorization server
Request
Response
auth.langmail.me. Clients only need to follow the endpoints in this document.Register as a client
The registration endpoint accepts dynamic client registration (RFC 7591) without prior credentials, rate-limited per IP. MCP clients typically register as a public client with a loopback redirect:Redirect URIs are matched exactly at authorization time, so register the precise URI you will use, including the port.
Registration request
The user signs in and consents
The client opens the authorization URL with a PKCE challenge:A user without a session is sent to the Langmail login page (Google sign-in) first. Then a consent screen shows what the named client is asking for; approving redirects back to the client’s
redirect_uri with an authorization code. Every dynamically registered client goes through consent — there are no silent grants.Exchange the code for tokens
Request
access_token and, because offline_access was granted, a refresh_token. Public clients send no client secret; the PKCE verifier binds the exchange to the client that started the flow.Tokens
- Access tokens are opaque — treat them as bearer credentials, not as JWTs to inspect.
- Refresh tokens are issued when
offline_accessis granted, so clients can stay connected without re-prompting you to sign in. - Ending access: remove the server from your MCP client — it discards its tokens, and without the refresh token access lapses. There is no dashboard for reviewing individual grants yet.
Requirements on the user
The signing-in Google account must belong to a Langmail user with an active@langmail.me mailbox. Accounts without one are rejected at the MCP server with 401 invalid_token — sign up at app.langmail.me first.
Authorization gives a client access to the tools the server exposes for your mailbox — currently read access to mail and read-write access to calendars. See the tool reference for the exact surface.