VectifyAI · ahonn · Sep 15, 2025 · Sep 12, 2025 · Sep 15, 2025
diff --git a/README.md b/README.md
@@ -20,32 +20,28 @@ PageIndex is a revolutionary document processing system that uses **reasoning-ba
 - **Local PDF Processing**: Upload local PDF files directly without manual uploads
 - **URL Support**: Process documents from URLs
 - **Full PageIndex Integration**: Access all PageIndex capabilities (OCR, tree generation, reasoning-based retrieval)
-- **Secure Authentication**: API key authentication with PageIndex platform
+- **Secure OAuth Authentication**: OAuth 2.1 with PKCE and automatic token refresh
 - **TypeScript**: Full type safety with MCP SDK
 - **Desktop Extension (DXT)**: One-click installation for Claude Desktop with secure configuration
 
 ## Usage
 
 ### Getting Started
 
-First, you'll need to create an API key:
-
-1. Visit https://dash.pageindex.ai/api-keys
-2. Create a new API key for your application
-3. Copy the API key for use in the configuration below
+The PageIndex MCP server uses OAuth 2.1 authentication for secure access. When you first run the server, it will guide you through the authentication process by opening your browser to authorize the application.
 
 ### For Claude Desktop (Recommended)
 
 **One-Click Installation with Desktop Extension (DXT):**
 
 1. Download the latest `.dxt` file from [Releases](https://github.com/VectifyAI/pageindex-mcp/releases)
 2. Double-click the `.dxt` file to install automatically in Claude Desktop
-3. Enter your PageIndex API key in the simple configuration interface
+3. The OAuth authentication will be handled automatically when you first use the extension
 
 **Benefits of DXT Installation:**
 
 - **No technical setup** - just download and double-click
-- **Secure configuration** - API keys stored securely by Claude Desktop
+- **Secure OAuth authentication** - handled automatically through your browser
 - **Automatic updates** - extensions update seamlessly
 - **Full local PDF support** - upload and process PDFs directly from your computer
 
@@ -64,34 +60,57 @@ Add to your MCP configuration:
   "mcpServers": {
     "pageindex": {
       "command": "npx",
-      "args": ["-y", "pageindex-mcp"],
-      "env": {
-        "PAGEINDEX_API_KEY": "<YOUR_PAGEINDEX_API_KEY>"
-      }
+      "args": ["-y", "pageindex-mcp"]
     }
   }
 }
 ```
 
-#### Option 2: Remote MCP Server
+**Authentication Process:**
+1. When you first connect, the server will automatically open your browser for OAuth authentication
+2. Log in to your PageIndex account and authorize the application
+3. The authentication tokens are securely stored locally and automatically refreshed
+4. Subsequent connections will use the stored credentials automatically
+
+> **Note**: This local server provides full PDF upload capabilities and handles all authentication automatically.
 
-Alternatively, connect directly to PageIndex without this wrapper:
+#### Option 2: Direct Connection to PageIndex
+
+Connect directly to the PageIndex OAuth-enabled MCP server:
 
 ```json
 {
   "mcpServers": {
     "pageindex": {
       "type": "http",
-      "url": "https://dash.pageindex.ai/api/mcp",
-      "headers": {
-        "Authorization": "Bearer <YOUR_PAGEINDEX_API_KEY>"
-      }
+      "url": "https://mcp.pageindex.ai"
+    }
+  }
+}
+```
+
+**Authentication Process:**
+1. The MCP client will automatically handle the OAuth flow
+2. You'll be redirected to authorize the application in your browser
+3. Authentication tokens are managed by the MCP client
+4. Automatic token refresh is handled by the server
+
+**For clients that don't support HTTP MCP servers:**
+
+If your MCP client doesn't support HTTP servers directly, you can use [mcp-remote](https://github.com/geelen/mcp-remote) as a bridge:
+
+```json
+{
+  "mcpServers": {
+    "pageindex": {
+      "command": "npx",
+      "args": ["-y", "mcp-remote", "https://mcp.pageindex.ai"]
     }
   }
 }
 ```
 
-> **Note**: Option 1 provides local PDF upload capabilities, while Option 2 connects directly to PageIndex but requires manual PDF uploads via the dashboard.
+> **Note**: Option 1 provides local PDF upload capabilities, while Option 2 only supports PDF processing via URLs (no local file uploads).
 
 ## Available Tools
 

diff --git a/manifest.json b/manifest.json
@@ -4,7 +4,7 @@
   "display_name": "PageIndex",
   "version": "1.1.2",
   "description": "MCP server for PageIndex",
-  "long_description": "This extension provides access to PageIndex's next-generation reasoning-based RAG system. Unlike traditional vector search, PageIndex uses multi-step reasoning to understand and retrieve information from documents.",
+  "long_description": "This extension provides access to PageIndex's next-generation reasoning-based RAG system. Unlike traditional vector search, PageIndex uses multi-step reasoning to understand and retrieve information from documents. Authentication is handled automatically via OAuth 2.1.",
   "author": {
     "name": "VectifyAI",
     "url": "https://github.com/VectifyAI"
@@ -19,7 +19,8 @@
     "document-processing",
     "pdf",
     "ocr",
-    "reasoning-rag"
+    "reasoning-rag",
+    "oauth"
   ],
   "license": "MIT",
   "compatibility": {
@@ -34,26 +35,7 @@
     "entry_point": "build/index.js",
     "mcp_config": {
       "command": "node",
-      "args": ["${__dirname}/build/index.js"],
-      "env": {
-        "PAGEINDEX_API_KEY": "${user_config.api_key}",
-        "PAGEINDEX_API_URL": "${user_config.api_url}"
-      }
-    }
-  },
-  "user_config": {
-    "api_key": {
-      "type": "string",
-      "title": "PageIndex API Key",
-      "description": "Your PageIndex API key. Get one at https://dash.pageindex.ai/api-keys",
-      "required": true
-    },
-    "api_url": {
-      "type": "string",
-      "title": "PageIndex API URL",
-      "description": "PageIndex API base URL (optional, defaults to https://dash.pageindex.ai)",
-      "required": false,
-      "default": "https://dash.pageindex.ai"
+      "args": ["${__dirname}/build/index.js"]
     }
   }
 }
diff --git a/package.json b/package.json
@@ -32,9 +32,12 @@
   "license": "MIT",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.17.3",
+    "@types/lodash": "^4.17.20",
     "date-fns": "^4.1.0",
+    "lodash": "^4.17.21",
     "mime-types": "^2.1.35",
     "p-retry": "^7.0.0",
+    "pkce-challenge": "^5.0.0",
     "zod": "^3.23.8",
     "zod-to-json-schema": "^3.24.6"
   },

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -1,25 +1,37 @@
+import type { OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
 import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
 
 /**
- * Creates an authenticated fetch function that adds Bearer token authentication
- * This is a simplified approach compared to implementing the complex OAuth interface
+ * Creates an OAuth-authenticated fetch function that adds Bearer token authentication
+ * using OAuth access tokens with automatic refresh capability
  */
-export function createAuthenticatedFetch(
-  apiKey: string,
+export function createOAuthAuthenticatedFetch(
+  getTokens: () => Promise<OAuthTokens | undefined>,
   additionalHeaders: Record<string, string> = {},
 ): FetchLike {
   return async (input: string | URL, init?: RequestInit): Promise<Response> => {
+    const tokens = await getTokens();
+    if (!tokens?.access_token) {
+      throw new Error('No valid OAuth access token available');
+    }
+
     const headers = new Headers(init?.headers);
-    headers.set('Authorization', `Bearer ${apiKey}`);
+    headers.set('Authorization', `Bearer ${tokens.access_token}`);
 
-    // Add additional headers (like client identification)
     Object.entries(additionalHeaders).forEach(([key, value]) => {
       headers.set(key, value);
     });
 
-    return fetch(input, {
+    const response = await fetch(input, {
       ...init,
       headers,
     });
+
+    // If we get 401 Unauthorized, the token has expired
+    if (response.status === 401) {
+      throw new Error('TOKEN_EXPIRED');
+    }
+
+    return response;
   };
 }