Flow Forms

Connecting Your AI Client

To connect your AI assistant to Flow Forms, you provide it with your MCP server URL. Authentication happens automatically via OAuth - you'll approve the connection in your browser the first time.

Your MCP Server URL

Your MCP server URL follows this pattern:

https://YOUR-SUBDOMAIN.flowforms.app/mcp

For example, if your account is at acme.flowforms.app, your MCP URL is https://acme.flowforms.app/mcp.

Setting Up Your Client

Any MCP client that supports Streamable HTTP transport can connect to Flow Forms. This includes Claude Desktop, Claude Code, Cursor, Windsurf, and others.

To connect, add a new MCP server in your client's settings with the following details:

  • URL: https://YOUR-SUBDOMAIN.flowforms.app/mcp
  • Transport: Streamable HTTP

Refer to your AI client's documentation for specific setup instructions. Most clients have an MCP settings panel where you can add a new server by URL.

When you first use a Flow Forms tool, your client will prompt you to authenticate via OAuth in your browser. Once authorized, the connection persists until you revoke it.

Authentication Details

How Authentication Works

Flow Forms uses OAuth 2.1 with PKCE for secure authentication. When your AI client connects for the first time:

  1. The client automatically registers itself with Flow Forms (dynamic client registration)
  2. You're redirected to log in and authorize access
  3. The client receives a token scoped to your account and permissions

Permissions

The connection uses the mcp:use scope, which grants access to all MCP tools. However, the AI can only perform actions that your user account has permission to do. For example:

  • Non-admin users only see forms available to their groups
  • Private forms are not accessible through MCP
  • Submission visibility depends on your role (submitter, approver, or admin)

Multiple Accounts

Each Flow Forms account has its own MCP server URL. If you belong to multiple accounts, configure a separate MCP connection for each one.

Revoking Access

To disconnect an AI client from your account, revoke its access through your Flow Forms account settings. This immediately invalidates the client's token.