> ## Documentation Index
> Fetch the complete documentation index at: https://openworklabs.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Register a new External MCP Connection for the org

> Admin-only. Registers a third-party MCP server by name + URL and grants access (org-wide, teams, or members). Use GET /v1/mcp-connections/presets for known server URLs (Notion, Linear, Stripe, Sentry, Slack, Context7). For credentialMode per_member, each member connects their own account afterwards — share links.yourConnections from the response so teammates know where to sign in. For servers with pre-registered OAuth apps, whitelist links.oauthCallback. API-key and OAuth-client credentials cannot be created through the agent surface; use the dashboard.



## OpenAPI

````yaml /openapi.json post /v1/mcp-connections
openapi: 3.1.0
info:
  title: Den API
  description: >-
    OpenAPI spec for the Den control plane API.


    Authentication:

    - Use `Authorization: Bearer <session-token>` for user-authenticated routes
    that require a Den session.

    - Use `x-api-key: <den-api-key>` for API-key-authenticated routes that
    accept organization API keys.

    - Public routes like health and documentation do not require authentication.


    Swagger tip: use the security schemes in the Authorize dialog to set either
    `bearerAuth` or `denApiKey` before trying protected endpoints.
  version: dev
servers: []
security: []
tags:
  - name: System
    description: Service health and operational routes.
  - name: Organizations
    description: Top-level organization creation and context routes.
  - name: Invitations
    description: Invitation preview, acceptance, creation, and cancellation routes.
  - name: API Keys
    description: Organization API key management routes.
  - name: SCIM
    description: Organization SCIM connector management routes.
  - name: SSO
    description: Organization single sign-on connector management routes.
  - name: Members
    description: Organization member management routes.
  - name: Roles
    description: Organization custom role management routes.
  - name: Teams
    description: Organization team management routes.
  - name: Templates
    description: Organization shared template routes.
  - name: LLM Providers
    description: Organization LLM provider catalog, configuration, and access routes.
  - name: Skills
    description: Organization skill authoring and sharing routes.
  - name: Skill Hubs
    description: Organization skill hub management and access routes.
  - name: Workers
    description: Worker lifecycle, billing, and runtime routes.
  - name: Worker Runtime
    description: Worker runtime inspection and upgrade routes.
  - name: Worker Activity
    description: Worker heartbeat and activity reporting routes.
  - name: Telemetry
    description: Telemetry event ingestion and adoption analytics.
  - name: Admin
    description: Administrative reporting routes.
  - name: Users
    description: Current user and membership routes.
  - name: Bootstrap
    description: Agent-first provisional workspace setup routes.
paths:
  /v1/mcp-connections:
    post:
      tags:
        - Capability Sources
      summary: Register a new External MCP Connection for the org
      description: >-
        Admin-only. Registers a third-party MCP server by name + URL and grants
        access (org-wide, teams, or members). Use GET
        /v1/mcp-connections/presets for known server URLs (Notion, Linear,
        Stripe, Sentry, Slack, Context7). For credentialMode per_member, each
        member connects their own account afterwards — share
        links.yourConnections from the response so teammates know where to sign
        in. For servers with pre-registered OAuth apps, whitelist
        links.oauthCallback. API-key and OAuth-client credentials cannot be
        created through the agent surface; use the dashboard.
      operationId: postV1McpConnections
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                name:
                  type: string
                  minLength: 1
                  maxLength: 255
                url:
                  type: string
                  maxLength: 2048
                  format: uri
                authType:
                  type: string
                  enum:
                    - oauth
                    - apikey
                    - none
                credentialMode:
                  default: shared
                  type: string
                  enum:
                    - shared
                    - per_member
                apiKey:
                  type: string
                  minLength: 1
                  maxLength: 4096
                oauthClient:
                  type: object
                  properties:
                    clientId:
                      type: string
                      minLength: 1
                      maxLength: 512
                    clientSecret:
                      type: string
                      minLength: 1
                      maxLength: 4096
                  required:
                    - clientId
                access:
                  $ref: '#/components/schemas/ExternalMcpConnectionAccessInput'
              required:
                - name
                - url
                - authType
      responses:
        '200':
          description: Connection created.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ExternalMcpConnectionCreatedResponse'
        '400':
          description: Invalid request.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InvalidRequestError'
        '401':
          description: The caller must be signed in.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UnauthorizedError'
        '403':
          description: Only workspace owners and admins can add MCP connections.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ForbiddenError'
        '502':
          description: The upstream MCP server could not be reached.
          content:
            application/json:
              schema:
                $ref: >-
                  #/components/schemas/ExternalMcpConnectionValidationFailedError
components:
  schemas:
    ExternalMcpConnectionAccessInput:
      type: object
      properties:
        orgWide:
          default: false
          type: boolean
        memberIds:
          default: []
          maxItems: 200
          type: array
          items:
            type: string
            minLength: 1
        teamIds:
          default: []
          maxItems: 200
          type: array
          items:
            type: string
            minLength: 1
    ExternalMcpConnectionCreatedResponse:
      type: object
      properties:
        id:
          type: string
        name:
          type: string
        url:
          type: string
        authType:
          type: string
          enum:
            - oauth
            - apikey
            - none
        credentialMode:
          type: string
          enum:
            - shared
            - per_member
        connected:
          type: boolean
        connectedAt:
          anyOf:
            - type: string
            - type: 'null'
        updatedAt:
          type: string
          format: date-time
          pattern: >-
            ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z))$
        connectedForMe:
          type: boolean
        needsReconnect:
          type: boolean
        missingFeatures:
          type: array
          items:
            type: string
        externalAccountId:
          anyOf:
            - type: string
            - type: 'null'
        grantedScopes:
          type: array
          items:
            type: string
        tenantId:
          anyOf:
            - type: string
            - type: 'null'
        requiredBy:
          type: array
          items:
            $ref: '#/components/schemas/ExternalMcpConnectionRequiredBy'
        identityManagedBy:
          type: array
          items:
            $ref: '#/components/schemas/ExternalMcpConnectionRequiredBy'
        access:
          anyOf:
            - $ref: '#/components/schemas/ExternalMcpConnectionAccessSummary'
            - type: 'null'
        oauthClientId:
          anyOf:
            - type: string
            - type: 'null'
        links:
          type: object
          properties:
            yourConnections:
              type: string
            oauthCallback:
              type: string
          required:
            - yourConnections
            - oauthCallback
      required:
        - id
        - name
        - url
        - authType
        - credentialMode
        - connected
        - connectedAt
        - connectedForMe
        - requiredBy
        - access
        - links
    InvalidRequestError:
      type: object
      properties:
        error:
          type: string
          const: invalid_request
        details:
          type: array
          items:
            type: object
            properties:
              message:
                type: string
              path:
                type: array
                items:
                  anyOf:
                    - type: string
                    - type: number
            required:
              - message
            additionalProperties: {}
      required:
        - error
        - details
    UnauthorizedError:
      type: object
      properties:
        error:
          type: string
          const: unauthorized
      required:
        - error
    ForbiddenError:
      type: object
      properties:
        error:
          type: string
          enum:
            - forbidden
            - reauth
        reason:
          type: string
        message:
          type: string
      required:
        - error
    ExternalMcpConnectionValidationFailedError:
      type: object
      properties:
        error:
          type: string
          const: connection_validation_failed
        message:
          type: string
        diagnostic:
          $ref: '#/components/schemas/ExternalMcpDiagnostic'
      required:
        - error
        - message
        - diagnostic
    ExternalMcpConnectionRequiredBy:
      type: object
      properties:
        pluginId:
          type: string
        name:
          type: string
      required:
        - pluginId
        - name
    ExternalMcpConnectionAccessSummary:
      type: object
      properties:
        orgWide:
          type: boolean
        memberIds:
          type: array
          items:
            type: string
        teamIds:
          type: array
          items:
            type: string
      required:
        - orgWide
        - memberIds
        - teamIds
    ExternalMcpDiagnostic:
      type: object
      properties:
        referenceId:
          type: string
        phase:
          type: string
          enum:
            - CONFIGURATION
            - NETWORK_DNS
            - NETWORK_TCP
            - NETWORK_TLS
            - HTTP_ROUTING
            - AUTH_RESOURCE_DISCOVERY
            - AUTH_ISSUER_DISCOVERY
            - AUTH_CLIENT_REGISTRATION
            - AUTH_USER_OR_WORKLOAD
            - AUTH_TOKEN_ACQUISITION
            - AUTH_RESOURCE_VALIDATION
            - MCP_TRANSPORT
            - MCP_VERSION
            - MCP_INITIALIZE
            - MCP_INITIALIZED
            - MCP_TOOL_DISCOVERY
            - MCP_TOOL_EXECUTION
            - PROVIDER_AUTHORIZATION
            - PROVIDER_EXECUTION
            - CONTINUITY_REFRESH
            - CONTINUITY_SESSION
            - SHUTDOWN
        category:
          type: string
        code:
          type: string
        highestPassed:
          type: string
          enum:
            - configured
            - reachable
            - authorized
            - protocol_ready
            - catalog_ready
            - operation_ready
        retryable:
          type: boolean
        actionOwner:
          type: string
          enum:
            - openwork
            - network_admin
            - provider_admin
            - organization_admin
            - member
        operatorAction:
          type: string
        message:
          type: string
        httpStatus:
          type: integer
          minimum: 100
          maximum: 599
        operationPhase:
          type: string
          enum:
            - CONFIGURATION
            - NETWORK_DNS
            - NETWORK_TCP
            - NETWORK_TLS
            - HTTP_ROUTING
            - AUTH_RESOURCE_DISCOVERY
            - AUTH_ISSUER_DISCOVERY
            - AUTH_CLIENT_REGISTRATION
            - AUTH_USER_OR_WORKLOAD
            - AUTH_TOKEN_ACQUISITION
            - AUTH_RESOURCE_VALIDATION
            - MCP_TRANSPORT
            - MCP_VERSION
            - MCP_INITIALIZE
            - MCP_INITIALIZED
            - MCP_TOOL_DISCOVERY
            - MCP_TOOL_EXECUTION
            - PROVIDER_AUTHORIZATION
            - PROVIDER_EXECUTION
            - CONTINUITY_REFRESH
            - CONTINUITY_SESSION
            - SHUTDOWN
        outbound:
          type: object
          properties:
            origin:
              type: string
            pathHash:
              type: string
          required:
            - origin
            - pathHash
        providerRequestId:
          type: string
        jsonRpcCode:
          type: integer
          minimum: -9007199254740991
          maximum: 9007199254740991
      required:
        - referenceId
        - phase
        - category
        - code
        - highestPassed
        - retryable
        - actionOwner
        - operatorAction
        - message

````