The Model Context Protocol (MCP) lets AI assistants like Claude connect to external tools and data sources. Booflow ships a remote MCP server so you can ask Claude to list your flows, create flows from templates, complete tasks, invite external users — all in plain language, right from Claude.ai.
Authentication uses OAuth 2.0 with PKCE — Claude handles the whole flow automatically. You approve once in your browser and Claude has secure, org-scoped access. No manual token copying required.
Open Claude.ai → Settings → Integrations and add a new connector with this URL:
https://booflow.com/api/mcp
Claude will redirect you to Booflow to approve access. You'll see the org you're authorizing and can switch orgs if you belong to more than one. Only Owners and Admins can authorize a connector.
After you click Allow, Claude gets an access token scoped to your organization. The token expires after 1 hour and is automatically refreshed — you won't need to re-approve.
Once connected, just talk to Claude naturally:
"Show me all active flows"
"Create a new flow from the Client Onboarding template and name it Acme Corp"
"Which tasks are overdue?"
"Complete the 'Send contract draft' task on the Acme Corp flow"
"Invite john@acmecorp.com to the Acme Corp flow as a client reviewer"
"What's the progress on all flows this week?"
"Start the Acme Corp flow"
Claude can see and call 15 tools. Read tools never modify data; write tools create or update records.
get_org_context
Returns org name, plan, member count, and flow counts.
list_flows
Lists flows with optional status filter (DRAFT, ACTIVE, COMPLETED…).
get_flow
Full flow detail: tasks, external users, progress %, activity feed.
list_tasks
Tasks across all flows, filterable by status or assignee.
get_task
Single task detail with dependencies and comments.
list_templates
All org templates with step count.
list_public_templates
Public marketplace templates — no auth required.
create_flow_from_template
Instantiates a template as a new DRAFT flow with all tasks and dependencies created.
update_flow_status
Starts (→ ACTIVE), pauses, or cancels a flow.
complete_task
Marks a task COMPLETED and triggers automatic dependency resolution.
approve_task
Approves or rejects an approval-type task.
assign_task
Assigns a task to an internal org member.
invite_external_user
Adds an external collaborator. Sends magic-link email immediately if flow is ACTIVE; deferred if DRAFT.
bulk_invite_external
Invites multiple external users to a flow in a single call.
list_org_members
Lists org members with their roles (OWNER, ADMIN, MEMBER).
Booflow implements a full OAuth 2.0 Authorization Server. Here's what happens when you connect:
1. Claude discovers endpoints via /.well-known/oauth-authorization-server 2. Claude auto-registers itself (Dynamic Client Registration — RFC 7591) 3. You're redirected to booflow.com/oauth/authorize 4. You select your org and click Allow 5. Claude exchanges the code for tokens (PKCE S256 — RFC 7636) 6. Access token (1h) + refresh token (30d) stored by Claude 7. Every MCP call sends: Authorization: Bearer <access_token>
Tokens are stored as SHA-256 hashes — Booflow never stores the raw value. Refresh tokens rotate on every use: each refresh issues a new pair and immediately revokes the old one.
For automation scripts or custom MCP clients that can't do a browser OAuth flow, you can authenticate with an API key instead. Generate one from Settings → API Keys, then pass it as a Bearer token:
Authorization: Bearer bflow_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
API keys are shown once at creation and stored as a hash — they can't be recovered. If lost, revoke it and create a new one. See the API reference for details.
Org isolation
Every MCP call runs in the context of your org. No tool can access another org's data.
PKCE required
Plain code challenges are rejected. S256 is enforced.
Origin validation
The /api/mcp endpoint only accepts requests from claude.ai, api.anthropic.com, booflow.com, and localhost.
Short-lived tokens
Access tokens expire in 1 hour. Refresh tokens rotate on every use.
Role restriction
Only Owners and Admins can authorize an MCP connector. Members cannot.
Booflow
© 2026 Booflow. All rights reserved.