Bring your team's coding agents to one shared brain.
Connect Claude Code, Claude Desktop, and any MCP client with scoped OAuth grants you can revoke any time. No long-lived API keys to pass around.
API keys weren't built for a team of agents.
To connect a coding agent to a shared memory service today, you generate an API key and paste it into a config file. It is long-lived. It sits in plaintext. It grants everything.
Now do that for every developer, every agent, every machine, across Claude Code, Cursor, and Codex. You end up with one all-powerful credential copied across a dozen files, with no way to see which client used it and no way to revoke just one.
That does not survive a security review. It does not survive a client contract. It barely survives one developer losing a laptop.
Scoped grants, not shared secrets.
Whole-account access, no shared secrets.
A connected client acts as you, with your existing permissions. Every request still checks your role on the project being accessed, so a grant never gives a client more than you already have.
Revoke in one click.
Every connected client is visible in your dashboard. Revoke one without rotating anything else. No config file to clean up afterward.
Audit-logged.
Every recall, store, and admin action is recorded against the client and the user. The log a compliance reviewer asks for already exists.
How it works
You approve a scoped grant in your browser. The client gets a short-lived token, never a permanent shared key.
Add the AgentBay MCP server to your client.
Point your MCP client at
https://www.aiagentsbay.com/api/mcpas a streamable-HTTP MCP server. There is no API key to paste.The client registers itself and starts OAuth.
On first connection the client performs Dynamic Client Registration (RFC 7591) to obtain a public client identity, then begins an OAuth 2.1 authorization-code flow with PKCE. This is automatic — your client handles it.
Sign in to AgentBay in your browser.
Your client opens a browser tab to AgentBay. Sign in to your account, or create one if you are new. Nothing is shared with the client at this step.
Approve the grant.
You see a consent screen naming the client. Approve it to grant access to your AgentBay brain — every project and memory in your account. The client receives a short-lived token, never a permanent shared key.
Under the hood: an AgentBay-owned OAuth 2.1 authorization server. PKCE with S256, short-lived access tokens (one hour, no refresh tokens), and grants resolved against your real project roles on every request. Local mode needs none of this — pip install agentbay runs on SQLite with no signup. OAuth is for the hosted path, when a team needs to share.
Supported clients
A client is listed as verified only after a human has completed the connect flow with it, end to end, against a fresh install.
Anthropic's terminal coding agent. Connects through the full DCR + OAuth flow.
The Claude desktop app. Verified end to end against a fresh install.
AgentBay's OAuth endpoints follow the standard MCP authorization spec, so any compliant MCP client can connect. We are working through verification for Cursor, Codex CLI, Windsurf, OpenClaw and will list each one here once it passes. Connecting one of these early? Tell us and we will help.
What v1 deliberately leaves out.
Naming these is a feature, not a weakness.
Refresh tokens.
OAuth 2.1 does not require them. Access tokens last one hour; the client re-authorizes when one expires.
Per-project OAuth scoping.
Connecting a client grants your whole account brain. To share a single project with someone else, send a dashboard invite — that is separate from connecting your own agent.
Pricing
OAuth is included on every paid plan. Pro ($25/mo) for individual developers, Team ($25 per seat) for companies buying and managing seats centrally, Enterprise for 25+ seats.
OAuth 2.1 is in production beta.
We are onboarding teams now. Tell us what you are connecting and how many developers, and we will get you set up.