Authentication
Cubeshell has no API keys to copy around. Each workspace gets one MCP connection URL, and access is granted through a normal OAuth sign-in the first time your client connects to it.
Get your connection URL
Sign in to the console, create a workspace, then create its MCP connection. An owner or admin can create the connection; any member can use it once created. The connection URL is workspace-specific — tools never take a workspace ID as an argument, so the URL you connect to is the only thing that decides which workspace an agent acts on.
https://api.cubeshell.com/mcp/c/cn_your_connection_idAdd it to your MCP client
Paste the connection URL into Claude Code, Codex, or another MCP-compatible client as a remote HTTP server. No token goes in the config file: the client will get a 401 on first use, discover Cubeshell's OAuth configuration automatically, and open a browser sign-in. Approve the connection there once, and the client keeps a token for it.
{
"mcpServers": {
"cubeshell": {
"type": "http",
"url": "https://api.cubeshell.com/mcp/c/cn_your_connection_id"
}
}
}tools/list to see exactly which tools this connection is authorized for. A connection only exposes tools if it was granted the tools:execute scope when it was created.What can go wrong
An unauthenticated request to a connection URL returns 401 with a WWW-Authenticate header pointing at Cubeshell's protected-resource metadata for that exact connection. A token that is valid but was never granted against this specific connection, or whose workspace membership is no longer active, also fails closed with 401— Cubeshell never falls back to a different workspace the account happens to belong to.