Auth & scopes · AdCrunch Docs

How OAuth works for the MCP server, scopes granted, token lifecycle, revocation.

The AdCrunch MCP server is OAuth-protected. Your AI client (Claude Desktop, Cursor, ChatGPT, …) goes through a standard OAuth 2.1 PKCE flow with security.adcrunch.dev and receives a short-lived bearer token plus a refresh token.

Scopes

OpenID Connect scopes identify you; AdCrunch service scopes gate what the tools can touch. You see one consent row per requested scope when you connect a client.

openid, profile, email — identifies your account.
insight:read — read your organization’s connected ad-account performance (list_advertisers, list_campaigns, list_ad_groups, list_ads, query_insights).
library:read — search the shared competitor ad-library corpus (search_ads).
skill:read — read your organization’s ad-ops playbooks (skill_list, skill_get).
skill:write — create, edit, and delete your playbooks (skill_create, skill_update, skill_delete).

`skill:write` is the first write scope

Most AdCrunch tools are read-only. skill:write lets a client modify your Skills, so it’s a distinct consent row — grant it only to clients you want authoring playbooks. A client that consents to skill:read only can run Skills but never change them.

Token lifecycle

(todo: TTL, refresh behavior, revocation flow from the console)

Revoking access

Console → Account → Connected apps. Revoke any AI client and the next tool call from that client returns 401.