ModaDocs

Authentication

How the Moda MCP server authenticates users via OAuth 2.1 and Clerk.

The hosted MCP server at mcp.moda.app uses OAuth 2.1 to authenticate users. Your editor handles the OAuth flow automatically — you just sign in through your browser when prompted.

When is authentication required?

ActionAuth required
Fetch a public share link (moda.app/s/...)No
Fetch a private canvas (moda.app/canvas/...)Yes
List your canvasesYes
Search your canvasesYes

Public share links work without authentication in both local and remote server modes. Private canvases and canvas listing/searching require the remote server with OAuth.

How the OAuth flow works

When you first use the MCP server, your editor initiates the OAuth flow:

  1. Your editor sends a request to the MCP server
  2. The server responds with 401 Unauthorized
  3. Your editor discovers the OAuth endpoints automatically
  4. A browser window opens for you to sign in via Moda (powered by Clerk)
  5. After sign-in, tokens are exchanged and stored by your editor
  6. All subsequent requests are authenticated automatically

If you're already signed in to moda.app in your browser, the sign-in step is instant — your existing session is detected automatically.

Token lifecycle

TokenLifetimeNotes
Access token1 hourRefreshed automatically by your editor
Refresh token30 daysRotated on each use for security

Your editor manages token refresh transparently. You should rarely need to re-authenticate unless you revoke access or your refresh token expires.

Local server authentication

The local stdio server does not use authentication. It can only access public share links. To access private canvases, use the remote server at mcp.moda.app.

Revoking access

To disconnect the MCP server from your Moda account:

  • Claude Desktop / claude.ai: Go to Settings > Connectors and disconnect or remove the Moda connector
  • Claude Mobile: Disconnect the Moda connector from claude.ai/settings, then restart the mobile app if needed
  • Claude Code: Run claude mcp remove moda
  • Cursor: Remove the MCP server from Cursor Settings > MCP
  • VS Code: Remove the Moda server entry from your MCP configuration in settings.json

This removes the stored tokens or connector authorization for that host app. You'll need to re-authenticate if you add the server again.

Security

  • OAuth 2.1 with PKCE (Proof Key for Code Exchange) prevents authorization code interception
  • Access tokens are short-lived JWTs (1 hour)
  • Refresh tokens are rotated on each use
  • All communication with mcp.moda.app uses TLS
  • The MCP server never stores your Moda password — authentication is delegated to Clerk

Design-to-Code Workflow

Best practices for turning Moda designs into production-ready code using AI agents.

Tools Reference

Complete reference for all Moda MCP tools — parameters, return types, and usage examples.

On this page

When is authentication required?How the OAuth flow worksToken lifecycleLocal server authenticationRevoking accessSecurity