Connect a client

Wire Claude Desktop, Claude Code, or any MCP-aware client to this Mycelium instance over HTTP. Most people just paste the URL into their client and sign in with Google when prompted — no tokens to copy around.

Auth is disabled. The Authorization header is not required against this instance — but tokens still work and are recommended if you'll ever flip auth on.

How it works

Mycelium supports two ways to connect, depending on who's behind the client:

Sign in with browser (recommended for humans) — paste the URL into Claude Desktop or Claude Code and it'll open your browser to sign in via Google Workspace. No tokens to manage; the client gets one automatically.
Personal access token (for service accounts, CI, scripts) — mint a long-lived token in Settings and paste it into the client's config. Useful when there's no human at a browser to complete the sign-in flow.

Browser sign-in is invite-only — your @selectionlab.com address has to be on the allow list first. Ask an admin to invite you if you can't get in.

Client configuration

From any terminal where the claude CLI is installed:

add the server

loading…

Then drive the sign-in:

Open a Claude Code session: claude
Type /mcp to see the MCP picker.
Select mycelium — it'll show Needs authentication.
Claude opens your browser. Sign in with Google → click Allow on the consent page.
Status flips to Connected. You're done.

No config file editing needed — Claude Desktop has a built-in UI for this.

In Claude Desktop, open Settings → Connectors (called "Integrations" on some versions).
Click Add Custom Connector.
Paste the URL below as the connector address:
```
loading…
```
Click Add. Claude Desktop detects that Mycelium needs auth and opens your browser.
Sign in with Google → click Allow on the consent page.
The connector flips to "Connected". Open a new chat and Mycelium's tools appear in the tools menu.

Requires a recent Claude Desktop build (Connectors UI). If you don't see the option, update the app first.

Old way: edit config file manually

Only needed for older Claude Desktop versions, Linux, or unattended deployments. Edit the config file, save, then fully quit Claude (menu → Quit) and reopen — the app only reads config on startup.

claude_desktop_config.json

loading…

Config file location:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
Linux: ~/.config/Claude/claude_desktop_config.json

For service accounts, CI agents, or anything that can't open a browser to sign in. Tokens never expire and are revocable individually.

Go to Settings → MCP tokens.
For a service account: ask an admin to create one in Settings → Users & invites, then mint a token under that account.
For a personal CI token: mint it under your own user. Pick a scope (reader / writer / admin; capped at your role).
Copy the token immediately — it's shown once.

Use it as a bearer header:

Claude Code with explicit token

loading…

Claude Desktop config with token

loading…

Mycelium speaks MCP over streamable HTTP and implements the MCP authorization spec (RFC 9728 protected resource metadata, RFC 8414 authorization server metadata, RFC 7591 Dynamic Client Registration, OAuth 2.1 with PKCE). Any client that supports those will work without per-client configuration beyond the MCP URL.

MCP endpoint

loading…

Discovery starts from the WWW-Authenticate header on the first 401 from /mcp. Clients that don't implement OAuth-based MCP can still use the token path above with Authorization: Bearer myc_….

Troubleshooting

Browser sign-in shows "this account is not authorized"

Your Google Workspace email is signed in but isn't on Mycelium's invite list. Sign-up is invite-only. Ask an admin to add you in Settings → Users & invites, then re-attempt sign-in.

Claude shows "Needs authentication" but clicking it does nothing

Browser blocked the popup, or the loopback callback port is firewalled. Allow popups for claude.ai / the desktop app, and ensure no firewall is blocking localhost:6274 (or whichever port Claude picked). Retry /mcp.

Claude shows "Failed to connect" instead of "Needs authentication"

The OAuth discovery handshake didn't complete. Verify the URL is exact (/mcp at the end, HTTPS). If the URL is right, check that /.well-known/oauth-authorization-server returns JSON in your browser — if it's a 404 or HTML page, the server isn't reachable.

401 from /mcp after I thought I authorized

Token was revoked (someone clicked Revoke on Settings), your user was suspended, or your user's role dropped below reader. Reauthorize via /mcp again; if that fails, an admin should check your row in Settings → Users & invites.

403 Forbidden on a specific tool

You're authenticated but lack the role for that tool. Reads need reader; writes need writer; deletes/merges need admin. Ask an admin to upgrade your role.

Service account token isn't working

Bearer header missing, token revoked, or service account suspended. curl -i -X POST https://mycelium.devgo.dev/mcp -H "Authorization: Bearer myc_…" -H "Content-Type: application/json" -H "Accept: application/json, text/event-stream" -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"x","version":"0"}}}' should return 200. 401 = token wrong or revoked.

Changes I make via MCP don't show in the UI

The UI caches the substrate dump per page load. Refresh to pick up new writes.

Endpoint reference

MCP endpointloading… Transportstreamable HTTP (MCP 2025-03-26) Authloading…