Authentication

Two ways in, depending on your client. Both resolve to your Lemon Domains account and only ever touch your own data.

Bearer token (Claude Code, Cursor, CLI/CI)

Clients that let you set a request header authenticate with a personal access token. Create one on the MCP page, then send it on every request:

code

Authorization: Bearer lemd_xxxxxxxxxxxxxxxx

Shown once. Only a SHA-256 hash is stored; the raw value can't be recovered. Generate a new one if you lose it.
Prefix. Tokens start with lemd_; the dashboard shows the prefix so you can tell them apart.
Expiry. Optional: 30 days, 90 days, 1 year, or never.
Revocable. Revoke any time; the next request returns 401 immediately.

Treat a token like a password. It grants full read and write access to your portfolio. Prefer short-lived tokens for one-off tasks.

OAuth (Claude.ai, Claude Desktop, ChatGPT)

Connector clients use OAuth instead of a token. When you add https://mcp.lemon.domains/mcp as a custom connector and click Connect, you are redirected to sign in, approve access, and returned automatically, with no token to copy. Sign in with the same email as your Lemon Domains account; that is how the connection maps to your data.

Under the hood the server publishes OAuth 2.0 Protected Resource Metadata at https://mcp.lemon.domains/.well-known/oauth-protected-resource, so compatible clients discover the authorization server automatically.

How your data is scoped

Every tool only reads or writes data owned by your account.
Project roles are enforced: viewers can read but not write; some actions are owner-only.
Registrar API keys and secrets are never exposed via MCP.

← Quickstart Connect a client