Any MCP client that supports remote HTTP transport can connect to TierZero. Pick whichever auth method your client supports.
Server details
- URL:
https://api.tierzero.ai/mcp/
- Transport: Streamable HTTP
- Auth: OAuth 2.1 or Personal Access Token
Option 1: OAuth (recommended)
If your client supports OAuth 2.1 with dynamic client registration, point it at https://api.tierzero.ai/mcp/ and let it auto-discover the authorization server via /.well-known/oauth-protected-resource. The client will handle the browser-based login flow on first use.
This is the same flow Claude Code and Cursor use. No tokens to manage, and access is tied to the user that approved the connection.
Option 2: Personal Access Token
Use a PAT for clients that don’t support OAuth, for headless setups (CI, scripts), or when you want long-lived auth tied to a specific user.
Generate a token
- Go to auth.tierzero.ai/account/api_keys/
- Create a new personal API key
- Save it somewhere your client can read it, for example as an environment variable:
export TIERZERO_PAT_TOKEN="<your-token>"
Treat the PAT like a password. It grants access to your TierZero data. Never commit it to version control or paste it into shared chat.
Authorization header on every request to https://api.tierzero.ai/mcp/:
Authorization: Bearer <your-token>
claude mcp add tierzero-server https://api.tierzero.ai/mcp/ \
--transport http \
--header "Authorization: Bearer ${TIERZERO_PAT_TOKEN}"
{
"mcpServers": {
"tierzero-server": {
"type": "http",
"url": "https://api.tierzero.ai/mcp/",
"headers": {
"Authorization": "Bearer ${env:TIERZERO_PAT_TOKEN}"
}
}
}
}
Rotating or revoking a PAT
Generate a new token at the API keys page and update your client config. Revoke the old one from the same page. There is no automatic expiry — tokens stay valid until you revoke them. 
