CLAUDE · CONNECTOR · OAUTH 2.0

Your CRM as a
Claude Connector.

Standard OAuth 2.0 with PKCE-S256, RFC 7591 dynamic client registration, family-tracked refresh rotation. 28 curated MCP tools land in Claude — customers, bookings, loyalty, invoices, comms — scoped per workspace, revocable from your dashboard.

Add to Claude Sign up first

Listing pending Anthropic Connectors Directory review · ~2 week review cycle

RFC 8414 DISCOVERY

$ curl https://api.favcrm.io/.well-known/oauth-authorization-server

"issuer": "https://api.favcrm.io",

"authorization_endpoint": "…/oauth/authorize",

"token_endpoint": "…/oauth/token",

"registration_endpoint": "…/oauth/register",

"code_challenge_methods_supported": ["S256"]

→ Claude reads this to wire the OAuth dance.

AGENT-CALLABLE BACKEND

28 curated MCP tools · OAuth 2.0 + PKCE-S256 · refresh rotation with reuse detection

https://api.favcrm.io/mcp Pricing
WHAT CLAUDE CAN CALL

Real CRM verbs. Scoped per workspace.

Every primitive a service business needs — typed, annotated, gated by OAuth scopes you explicitly approved.

Cap 01

Customers

Search, segment, profile, enrol. Tags, notes, custom fields.

Cap 02

Bookings

Services, schedules, slots, packages. Multi-staff capacity rules.

Cap 03

Loyalty

Tiers, points, rewards, gift offers, automatic-reward triggers.

Cap 04

Commerce

Orders, invoices, Stripe payment links, subscriptions.

Cap 05

Comms

WhatsApp templates, SMS routing, transactional + marketing email.

Cap 06

Insights

Dashboard stats, segments, validate-promotion checks for checkout.

HOW IT WORKS

From Add Connector to first call in 90 seconds.

Standard OAuth flow — no API keys to copy, no config files to edit. The Connectors Directory listing rolls out post-Anthropic review.

Step 01 — Add connector

claude.com → Connectors → FavCRM.

The directory listing is pending Anthropic review. Once live, FavCRM appears in Settings → Connectors with one-click Add.

claude.com → Settings → Connectors
→ Search "FavCRM"
→ Add custom connector

Step 02 — OAuth handshake

Sign in to FavCRM, pick a workspace.

Standard OAuth 2.0 with PKCE-S256. You see exactly what scopes Claude is asking for and which workspace it will see — Authorize / Deny.

claude.com → /oauth/authorize → favcrm.io
→ workspace selector
→ scopes shown explicitly
→ Authorize ✓

Step 03 — Tools land

Curated catalog appears in chat.

Annotations on every tool let Claude flag destructive calls before invoking. Superadmin tools are physically unreachable. Brand-new DCR clients are write-locked for 24h.

tools/list → 28 tools
→ readOnlyHint, destructiveHint surfaced
→ DCR clients: write quarantine 24h
→ destructive ops require explicit confirm

Step 04 — Prompt

Claude runs your CRM in plain English.

No SDK setup. Claude picks tools by description and chains them. Production data, not stubs. Refresh tokens rotate every 15 min with reuse detection.

> "Find members tagged 'vip' who haven't
   booked in 60 days, draft a personalised
   WhatsApp."

search_members → list_tags → list_bookings
→ draft_message
OAUTH FLOW

Standard OAuth 2.0. No magic.

RFC 6749 + 7636 + 7591 + 7009 + 8414. Same shape Anthropic, GitHub, and Stripe use. Discovery → register → authorize → token.

01

Discovery

Claude reads /.well-known/oauth-authorization-server (RFC 8414) for our endpoints.

/.well-known/oauth-authorization-server

02

Registration

POST /oauth/register issues a client_id (RFC 7591 DCR). Static clients (Anthropic-direct) skip this.

/oauth/register

03

Authorize

GET /oauth/authorize with PKCE-S256 code_challenge. User picks workspace + clicks Authorize.

/oauth/authorize

04

Token exchange

POST /oauth/token with code + verifier → 15-min access_token + 30-day rotating refresh_token.

/oauth/token
CURATED TOOLSET

28 tools approved for Claude.

Read-mostly with safe writes. Annotations on every tool — destructive ops gated behind explicit confirmation in chat.

— Customers

4 tools

  • search_members

    Filter by tag, segment, last activity, tier.

  • get_member_profile

    Full profile + history.

  • list_contacts

    CRM contacts paginated.

  • list_tags

    Available tag taxonomy.

— Bookings

4 tools

  • list_services

    Bookable service catalog.

  • list_bookings

    Filter by status / date / customer.

  • get_booking_detail

    Single booking with timeline.

  • get_available_slots

    Open times for a date range.

— Loyalty

4 tools

  • list_tiers

    Membership tier ladder.

  • get_membership_tier

    Tier config + benefits.

  • get_loyalty_balance

    Points, stamps, credits, lifetime totals.

  • list_promotions

    Active promo codes.

— Insights

1 tool

  • get_dashboard_stats

    Top-line KPIs for the workspace.

Need full write access (campaigns, broadcasts, payments)? Use Cursor or Vercel for the full 128-tool catalog.

SECURITY & DATA

Built so the Anthropic reviewer doesn't have to chase us.

PKCE + scope consent + refresh rotation + DCR quarantine — built in to pass Connector review on the first submission.

PKCE-S256 mandatory

plain code_challenge_method rejected. Refresh tokens rotate every exchange with parent-chain reuse detection — token theft revokes the family.

Per-(user × client × workspace) consent

You authorize Claude for one workspace at a time. The connected-apps page lists every active grant — revoke from there to invalidate Claude's tokens immediately.

DCR quarantine

Dynamic Client Registration is rate-limited (50/IP/day) and brand-new clients are write-locked for 24h. You must explicitly re-consent to enable destructive scopes.

Data hosted in Hong Kong

Cloudflare D1 + Workers, primary region HKG. PDPO-aligned. See Privacy Policy and Terms of Use.

Read the Privacy Policy and Terms of Use.

PRICING TRAIL

Free for prototypes. Paid when you ship.

Sign up free. Upgrade to Lite for a real workspace, or Starter for bundled AI agent and meeting notes — same dashboard, no re-install.

Free
$0 forever

100 customers · 200 bookings/mo · 1k MCP calls/mo

Lite FOR CLAUDE
$19 /mo · for Claude

Real workspace · 1 seat · email · BYO-AI via Claude

Starter
$49 /mo

3 seats · 1M AI credits · WhatsApp + SMS · meeting notes

See full pricing & feature matrix
09 · Frequently asked

OAuth, scopes, and trust.

Anthropic's Connector review covers OAuth shape, scope clarity, callback URL, and revocation. Below answers map to those checkpoints.

Q.01 What is the FavCRM Claude Connector?
A custom MCP connector for Claude.com / Claude Desktop. The Claude agent calls FavCRM's 28 curated MCP tools (read-mostly + safe writes; destructive ops gated) directly from chat — customers, bookings, loyalty, invoicing — without leaving the conversation.
Q.02 How does the OAuth flow work?
Authorization Code with PKCE-S256 (RFC 7636). Claude initiates the dance via /.well-known/oauth-authorization-server (RFC 8414); FavCRM's authorization endpoint redirects back to claude.com/api/mcp/auth_callback with a single-use code; Claude exchanges the code for a 15-minute access JWT + 30-day refresh token. Refresh-token rotation is family-tracked — token reuse invalidates the entire family.
Q.03 Is Dynamic Client Registration supported?
Yes. RFC 7591. Claude (or any new agentic client) calls POST /oauth/register with client_name + redirect_uris and receives a client_id. New DCR clients are quarantined for 24 hours: read-only scopes only, write access requires explicit user re-consent after the cooldown. Per-IP rate limit: 50 registrations per day.
Q.04 When does the Claude Connector launch?
Pending Anthropic's connector-directory review. The OAuth backend (authorize / token / register / revoke / well-known) is live at api.favcrm.io. Submission to mcp-review@anthropic.com includes the verified callback URL, scope catalog, privacy policy, and EULA. Until approved, advanced users can wire FavCRM into Claude Desktop's claude_desktop_config.json via the same Bearer-header pattern used for Cursor (community-only path).
Q.05 What scopes does Claude request?
mcp.read for catalog discovery and read-only tools, mcp.write for safe writes (create_booking, attach_tags, send_whatsapp_message). Destructive scopes (cancel/refund/delete) require explicit user re-consent per session. Full scope catalog at /.well-known/oauth-authorization-server.
Q.06 What about user revocation?
The Connected Apps page in the merchant portal lists every authorized client. Revocation cascades: kills all refresh-token families for (user, client), invalidates active access tokens within their 15-minute TTL. RFC 7009 token revocation endpoint is also exposed at /oauth/revoke for programmatic use.
Q.07 How is this different from Anthropic's own connectors?
FavCRM is a third-party connector built specifically for service businesses — beauty, fitness, tutoring, retail, hospitality, professional services. Anthropic's first-party connectors (Google Drive, Slack, GitHub) target generic productivity. FavCRM provides a domain-specific tool catalog: bookings + customers + loyalty + invoicing as first-class verbs, not files-and-folders.
Q.08 What does it cost?
Free tier: 100 customers, 200 bookings/month, 1k MCP calls/month, no credit card. Paid plans from $19/mo (Lite — 1 seat) to $49/mo (Starter — 3 seats, WhatsApp + SMS, 1M AI credits). Same plans across all platforms.

Verified . OAuth metadata at /.well-known/oauth-authorization-server.

Add to Claude.
Authorize the verbs.

One install. OAuth handshake. Claude runs a real CRM backend from the next prompt onwards.

Add to Claude Talk to us