Skip to main content
Loading...

Help Center

Everything you need to know about using Renewly

Connect Claude Desktop & other MCP clients

Renewly supports OAuth 2.1 with PKCE for one-click connection from Claude Desktop, Cursor, and any other MCP client that speaks the standard. No API keys to copy, no JSON files to edit. Connect, approve, and you’re live.

What you can do once connected

With a connected MCP client you can ask natural-language questions about your portfolio and have the client take actions on your behalf. Renewly exposes 14 MCP tools covering reads (list contracts, upcoming renewals, vendor spend history, portfolio health, contract details) and a small set of writes (flag for review, draft cancellation emails, propose a negotiation plan).

Connecting Claude Desktop

  1. Open Claude Desktop → Settings → Connectors.
  2. Click Add custom connector.
  3. Paste the metadata URL:
    https://renewly.gg/.well-known/oauth-authorization-server
  4. Claude opens a browser tab to renewly.gg.
  5. If you’re not already logged in, you’ll log in normally.
  6. Approve the connection on the consent screen.
  7. Claude Desktop shows the new connector as active. Done.

Other MCP clients

Cursor, Continue, and any MCP-compatible IDE follow the same flow. Point them at the same metadata URL above.

What you’re approving

The default scope is contracts:read: read-only access to your contract data. Higher-trust scopes (contracts:write, negotiations:initiate,email:draft) are only minted when the MCP client requests them at connection time, and the consent screen lists every scope being granted before you approve.

Tokens are bound to a specific resource: they can only be used against the Renewly MCP endpoint, never against another service. Refresh tokens use one-time rotation: any reuse of a previously-rotated refresh token revokes the entire session immediately.

Managing connections

See and revoke active connections at Settings → Connections. Each row shows the MCP client name (e.g. “Claude Desktop”), when you connected, and a Revoke button. Revoking is instant and stops the next API call from that client.

Revoking is one-way

After revoking, the MCP client must re-do the consent flow to get a fresh token. Any in-flight requests with the old token are rejected at the next call.

API keys vs OAuth

Renewly still supports raw API keys for server-to-server scripts and CI integrations. See API Reference. For human-in-the-loop tools (Claude Desktop, Cursor, IDEs), OAuth is the supported path. The two co-exist and a single Renewly account can have both at once.

Security model

  • OAuth 2.1 + PKCE S256 only. No implicit flow, no plaintext PKCE.
  • Access tokens are SHA-256 hashed at rest. The cleartext value never leaves the browser tab where it was minted.
  • Refresh-token rotation with reuse detection: presenting an already-rotated refresh token revokes the entire family.
  • Resource-bound: a token issued for the MCP endpoint cannot be replayed against another resource.
  • Every issuance, exchange, and revocation is recorded in an audit log you can review with your account team if needed.