Dock AIDock AI
GitHubBack to site
Integration

Authentication

How Dock AI handles user authentication and authorization with OAuth 2.0.

Overview

Dock AI uses OAuth 2.0 with PKCE (Proof Key for Code Exchange) to securely authenticate users and authorize AI assistants to perform actions on their behalf.

Info

Users only need to authenticate once. Access tokens are automatically refreshed and can be revoked at any time from the dashboard.

OAuth 2.0 Flow

When an AI assistant requests an action that requires user authentication:

Authentication Flow
1. AI Assistant → Dock AI MCP Server
   "Create booking for user X"

2. Dock AI checks auth status
   Is user authenticated? Does token have required scopes?

3. If not authenticated:
   → Return authorization URL
   → AI presents link to user

4. User clicks link → Dock AI OAuth page
   → User logs in (or creates account)
   → User reviews and grants permissions

5. Dock AI issues access token
   → Redirects back to AI assistant

6. AI retries the original action
   → Action succeeds with user context

Scopes

Scopes define what actions an AI assistant can perform on behalf of a user. Users explicitly grant each scope during authorization.

ScopeDescription
businesses:readSearch and view business listings
requests:writeCreate bookings and send contact requests
requests:readView user's booking history and requests

Token Lifecycle

Access Tokens

  • Short-lived (1 hour by default)
  • Automatically refreshed by AI assistants
  • Scoped to specific permissions

Refresh Tokens

  • Long-lived (30 days by default)
  • Used to obtain new access tokens
  • Rotated on each use for security

Warning

If a user revokes access, all tokens are immediately invalidated. The AI assistant will need to request re-authorization.

Security Best Practices

  • PKCE Required – All OAuth flows require PKCE for protection against interception attacks
  • HTTPS Only – All endpoints require TLS 1.2+
  • Token Binding – Tokens are bound to the client that requested them
  • Rate Limiting – Auth endpoints are rate-limited to prevent abuse
  • Audit Logging – All authentication events are logged

OAuth Endpoints

OAuth 2.0 Endpoints
Authorization: https://dockai.co/auth/mcp/authorize
Token:         https://dockai.co/api/v1/oauth/token
Introspect:    https://dockai.co/api/v1/oauth/introspect
Revoke:        https://dockai.co/api/v1/oauth/revoke

Discovery:     https://dockai.co/.well-known/oauth-authorization-server