Outline can act as an OAuth provider, to allow for secure integration with internal and external tools with scoped authentication without the need for manual management of API keys.

Config

Dynamic Client Registration

To support MCP clients, the in-built OAuth server also supports dynamic client registration (DCR), this allows the automatic creation of clients without user authentication to support local tools such as Cursor and Claude.

In self-hosted environments, if you would prefer to disable this for security – it can be done so by setting the environment variable:

OAUTH_DISABLE_DCR=true

Other configuration

• OAUTH_PROVIDER_ACCESS_TOKEN_LIFETIME – The number of seconds access tokens issue by the OAuth provider are valid, defaults to 1 hour.

• OAUTH_PROVIDER_REFRESH_TOKEN_LIFETIME – The number of seconds refresh tokens issue by the OAuth provider are valid, defaults to 30 days.

• OAUTH_PROVIDER_AUTHORIZATION_CODE_LIFETIME – The number of seconds authorization codes issue by the OAuth provider are valid, defaults to 5 minutes.