Authentication & Scopes

The Booked55 MCP server supports two authentication methods: OAuth 2.0 for interactive AI clients like ChatGPT, and API keys for programmatic access.

OAuth 2.0 (ChatGPT & browser-based clients)

When you connect ChatGPT or another browser-based AI client, the MCP server uses the OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange). This is the same standard used by Google, GitHub, and other major platforms.

How the flow works

1. Authorise: ChatGPT redirects you to the Booked55 login page with a client_id, redirect_uri, requested scope, and a code_challenge.
2. Login & consent: You sign in with your Booked55 credentials and approve the requested permissions.
3. Callback: Booked55 redirects back to ChatGPT with an authorization code.
4. Token exchange: ChatGPT exchanges the code (plus the code_verifier) for an access token and refresh token.
5. API calls: ChatGPT includes the access token in every MCP tool call. When it expires, the refresh token is used to get a new one.

OAuth endpoints

API Key (programmatic access)

For scripts, automations, or non-browser AI clients, you can authenticate with an API key instead of OAuth.

1. Go to Workspace Settings → API Keys in your Booked55 dashboard.
2. Click Generate API Key.
3. Copy the key (it starts with vg_).
4. Pass it in the Authorization header:

   Authorization: Bearer vg_your_api_key_here

Scopes

Scopes control what the MCP server is allowed to do on your behalf. When you authorise via OAuth, you approve the requested scopes.

Related

• Connect ChatGPT to Booked55
• Available MCP Tools
• Manage API Keys