Skip to main content
Auth Links are shareable URLs that allow users to authenticate with the MCP servers in your project. When a user visits an auth link, they see which servers need authentication and provide their credentials through a guided flow. Caylex supports two types of auth links, corresponding to the two levels of server authentication: User auth links let individual users authenticate with their own credentials. They are designed for broad distribution.
  • Domain restriction — restricted by email domain (e.g., anyone with @company.com can use the link)
  • Unlimited uses — multiple users can authenticate through the same link
  • User-level credentials — each user provides and stores their own credentials
Use for: distributing authentication to many users in an organization (e.g., “All engineers at Acme Corp can authenticate their GitHub accounts”). Project auth links let a specific person provide shared credentials for the entire project. They are designed for one-time admin setup.
  • Email restriction — restricted to a specific email address
  • Single use — the link can only be used once
  • Project-level credentials — credentials are shared across all users in the project
Use for: setting up service accounts or shared API keys (e.g., “The admin provides the company CRM API key”).
1

Navigate to your project

Go to the Projects page and select the project where you want to create the auth link.
2

Open Auth Links

Click on the Auth Links tab in the project view.
3

Create a new auth link

Click Create Auth Link and select the type:
4

Share the link

Copy the generated link and share it with the intended user(s).
The auth link is active and ready for users to authenticate.

The user authentication experience

When a user visits an auth link, they go through a guided authentication flow:
1

Sign in

The user signs in with their email. The system validates that their email matches the link’s restrictions (domain for user links, exact email for project links).
2

Review servers

The user sees which servers need authentication and what method each requires:
  • OAuth servers — a “Connect” button that starts the OAuth authorization flow
  • Header servers — a form to enter API keys or Bearer tokens
  • Path servers — a form to enter URL path parameter values
  • Query servers — a form to enter query parameter values
3

Provide credentials

The user authenticates with each server:
  • For OAuth — they click “Connect”, authorize with the external provider, and return to Caylex
  • For Header/Path/Query — they enter the required values in the form
Users can authenticate with a subset of servers. They do not need to complete all servers at once.
4

Credentials stored securely

Once completed:
  • OAuth tokens are stored by the identity provider (never in Caylex’s database)
  • Header, Path, and Query values are encrypted and stored in AWS Parameter Store
The user is now authenticated and the Navigator can use their credentials when executing tools on their behalf.
From the Auth Links tab in your project, you can:
  • View all links — see active and expired links with their type, expiration, and usage
  • View authenticated users — see which users have completed authentication through each link
  • Edit links — update domain/email restrictions or expiration
  • Delete links — remove a link (does not revoke existing user credentials)
Caylex also supports playground auth links for testing and development. These work like user auth links but are scoped to the platform’s built-in playground environment, allowing you to test agent behavior with your own credentials.
Auth links contain sensitive access. Set appropriate expiration dates and restrict them to the minimum necessary audience. Deleting an auth link does not revoke credentials that were already provided through it — use the Managing Users page to revoke individual user access.