Documentation Index
Fetch the complete documentation index at: https://docs.loopreturns.com/llms.txt
Use this file to discover all available pages before exploring further.
The Loop MCP Server is currently in preview. Authentication details described here may evolve before general availability.
This is not the same OAuth flow used by the REST API. REST API OAuth is for partner integrations that act on behalf of merchants. MCP OAuth is initiated by the merchant themselves through their MCP client.
Discovery
When an MCP client first connects tohttps://api.loopreturns.com/mcp, it fetches the protected resource metadata to discover the authorization server:
Authorization endpoints
| Endpoint | Purpose |
|---|---|
POST /oauth/register | Dynamic Client Registration (RFC 7591) |
GET /oauth/authorize | Begin the authorization flow |
GET /oauth/callback | Receive the upstream authorization code |
POST /oauth/token | Exchange the code for an id_token |
https://api.loopreturns.com.
Flow overview
Multi-tenant shop resolution
A single email can be associated with multiple Loop shops. The MCP OAuth flow resolves the right shop in one of three ways:login_hintprovided. The client passes the email up front; Loop looks up the associated shops.- Email form. If no hint is provided, Loop shows an email input form.
- Shop selector. If the email is associated with more than one shop, Loop shows a shop selection form before redirecting to Auth0.
org_id claim of the issued id_token.
Token format
Loop issues a signedid_token (not an opaque access token). The token is a standard JWT with these notable claims:
| Claim | Description |
|---|---|
iss | Loop’s Auth0 tenant (https://loopreturns-orgs.us.auth0.com/) |
aud | The MCP client’s client_id |
sub | The Auth0 user ID |
org_id | The Auth0 organization ID, mapped to a Loop shop |
email | The merchant’s email address |
exp | Token expiration (1 hour from issue) |
Loop swaps Auth0’s encrypted
access_token for the signed id_token before returning it to the client. This is intentional — MCP clients need a verifiable JWT they can present as a Bearer token, and the encrypted Auth0 access token is opaque.Using the token
Pass theid_token as a Bearer token in the Authorization header on every MCP request:
org_id to a Loop shop, and loads the corresponding user.
Permissions
Once authenticated, the user is subject to the same role-based permissions that govern their access to the Loop Admin. Each MCP tool declares the permissions it requires (OR logic — at least one is sufficient). If a user lacks every required permission, the tool returns an authorization error and is hidden from the assistant’s tool catalog where possible.Token lifetime and refresh
| Property | Value |
|---|---|
id_token lifetime | 1 hour |
| Refresh tokens | Not currently issued |
client_id from dynamic registration and complete the refresh in the background.
Rate limits
| Endpoint | Limit |
|---|---|
/.well-known/* | 100/hour per IP |
/oauth/register | 50/hour per IP |
/oauth/authorize | 100/hour per IP |
/oauth/token | 100/hour per IP |
/mcp (tool calls) | 600/hour per authenticated user |
429 Too Many Requests with a Retry-After header.
Troubleshooting
The browser opens but I see 'Email not found'
The browser opens but I see 'Email not found'
Loop didn’t find any shops associated with the email you submitted. Confirm the email matches a user record in your Loop Admin (under Settings → Team).
Authentication succeeds but tool calls return 'Unauthorized'
Authentication succeeds but tool calls return 'Unauthorized'
The MCP client says 'Token expired'
The MCP client says 'Token expired'
id_tokens expire after one hour. Reconnect the server in your MCP client to start a fresh OAuth flow.Next steps
Get Started
Connect Claude, Cursor, or VS Code Copilot to the Loop MCP Server.
Overview
See the full list of tools the MCP server exposes.