Technical Docs
Authentication
The connector uses OAuth 2.0 Authorization Code flow with PKCE. The API key functions as the access token passed to all backend requests.
OAuth Flow
- Claude fetches
/.well-known/oauth-authorization-server - Claude redirects the user to
/authorizewith PKCE parameters - User enters their warenquelle API key in the authorization form
- The key is returned as the authorization
codeto Claude's callback - Claude exchanges the code at
/tokenfor an access token - All subsequent MCP requests include
Authorization: Bearer <api_key>
API Key Validation
On each tool call, the backend validates the Bearer token against
the wq_mcp_api_keys table:
SELECT MERCH_UUID, MARKET_UUID
FROM wq_mcp_api_keys
WHERE api_key = :key
AND is_active = 1
If the key is valid, last_used is updated and the request
proceeds scoped to that merchant and market.
If invalid or inactive, the backend returns HTTP 403.
API Key Format
| Property | Value |
|---|---|
| Format | wq_live_ + 24 random characters |
| Length | max. 64 characters |
| Scope | One key per merchant + market combination |
| Revocation | Set is_active = 0 to immediately revoke |
OAuth Callback URLs
The following redirect URIs are allowlisted:
https://claude.ai/api/mcp/auth_callback
https://claude.com/api/mcp/auth_callbackAPI keys grant read access to all shop data for the associated merchant. Treat them like passwords – do not share them publicly.