Authentication
Understand SalesTouch OAuth, MCP scopes, account resolution, and authorization failures.
SalesTouch uses OAuth 2.1 with PKCE. MCP clients discover the authorization server automatically from the protected-resource metadata published beside the remote MCP endpoint.
Scopes
| Scope | Purpose |
|---|---|
openid | Identifies the signed-in SalesTouch user. |
offline_access | Allows the MCP client to refresh access without repeated login prompts. |
salestouch:use | Grants access to the SalesTouch MCP service. |
linkedin:access | Grants the LinkedIn read and write capabilities approved during consent. |
Every tool page lists its required scopes. SalesTouch checks scopes before executing the tool and returns a new OAuth challenge when a permission is missing.
Account resolution
Most tools accept an optional account_id. When it is omitted, SalesTouch selects an eligible connected account and reuses a lead owner account when one is already known.
Use linkedin_accounts when you need to inspect or explicitly select an account. Never invent an account identifier.
Authentication sequence
- Add
https://www.salestouch.io/api/mcpto the MCP client. - Start the client login flow.
- Sign in to SalesTouch in the browser.
- Review and approve the requested scopes.
- Return to the client and start a fresh task or conversation.
- Verify access with
linkedin_accounts.
Authorization errors
invalid_token or authorization required
The MCP entry exists, but the OAuth session is absent or expired. Run the client login flow again and then reload the tool list.
insufficient_scope
The current token does not include the permission required by the requested tool. Reconnect the MCP and approve the new scope.
paid_plan_required
Authentication succeeded, but the workspace does not currently have LinkedIn MCP access. Change the SalesTouch workspace entitlement before retrying.
No LinkedIn accounts returned
OAuth is working, but SalesTouch has no usable LinkedIn account for the workspace. Connect LinkedIn in SalesTouch, then call linkedin_accounts again.
Continue with workflows once the read-only verification succeeds.