Skip to main content

Documentation Index

Fetch the complete documentation index at: https://learn.nexudus.com/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

The Nexudus MCP server uses OAuth 2.0 — the same standard used by “Sign in with Google” and similar flows. Your MCP client opens a browser, you sign in to Nexudus, and the server gives the client a short-lived token to use on your behalf.

What you see as a user

  1. You add https://mcp.nexudus.com to your MCP client.
  2. The client opens a browser window with the Nexudus login page.
  3. You enter your Nexudus email and password.
  4. The browser redirects back to your client.
  5. Your AI assistant now has Nexudus tools available for the next 8 hours.
You never share your password with the MCP client itself — only with the Nexudus login page that the browser opens. The MCP server is the only thing that ever sees your password, and only for the brief moment of verifying it.

What is stored

StoredFor how longWhere
Your Nexudus email and passwordNever stored — used once and discarded
A short-lived Nexudus access tokenThe lifetime of your session (8 hours)The MCP server memory
A signed token used by your MCP clientThe lifetime of your session (8 hours)Your MCP client
The token the MCP client holds is a signed wrapper around the Nexudus access token. The client cannot read or use the underlying Nexudus token directly — it can only ask the MCP server to use it on the client’s behalf.

Permissions

The MCP server uses your own Nexudus account to make API calls, so it has exactly the same permissions you do. If your account can see five locations, the assistant can see five locations. If your account cannot delete invoices, the assistant cannot delete invoices either.
For sensitive workflows, consider creating a dedicated Nexudus user with the minimum permissions needed and connecting the MCP client with that account.

Session lifetime

A session lasts 8 hours from the moment you sign in. After that, the next tool call returns an authentication error and your AI assistant will tell you the connection has expired. Reconnect from your client’s connector settings — the steps are the same as the first time. See Sessions and re-authentication for more on what happens when a session ends.

Disconnecting

To revoke access, disconnect the Nexudus connector inside your MCP client. The exact steps vary by client — see the client setup pages for instructions. Disconnecting from the client invalidates the token immediately on the next request. If you change your Nexudus password, any active MCP sessions stop working as soon as they next try to call the Nexudus API.

Security notes

  • All traffic is encrypted — the MCP server is only reachable over HTTPS.
  • Tokens are signed — the wrapper token your MCP client holds is cryptographically signed by the server, so it cannot be forged or tampered with.
  • Tokens are short-lived — even if a token were leaked, it expires in 8 hours.
  • No long-term storage of credentials — your password is verified once and never persisted.
  • Account-scoped — every action runs as your Nexudus account, with the same permissions and audit trail.

Next steps

Sessions and re-auth

What happens when your session expires.

Available tools

Operations exposed to your AI assistant.