PocketLedgerOAuth & MCP documentation
PocketLedger exposes a scoped OAuth2 authorization server and MCP endpoint for AI assistants.
Public endpoints
/mcp
/.well-known/oauth-authorization-server
/.well-known/oauth-protected-resource
/oauth/authorize
/oauth/token
/oauth/register
Scopes
account:read- read account and category information.transactions:read- search and inspect transactions.transactions:write- create, update, delete, restore, and undo transactions.reports:read- read summaries and chart-ready spending reports.
Available MCP tools
record_expense, parse_expense_text, log_transaction, update_transaction, delete_transaction, restore_transaction, undo_last_transaction, search_transactions, get_summary, get_report, and list_categories.
Connector setup
- Add
https://pocketledger.baronsa.dev/mcpas a remote MCP connector in your assistant. - Complete OAuth authorization with PKCE and approve the requested scopes.
- Try
list_categories, then record a small test expense, search it, and generate a summary or grouped report.
Security notes
PocketLedger uses authorization code flow with PKCE, HTTPS-only production settings, scoped OAuth grants, refresh-token rotation, token revocation, idempotency protection for write tools, and audit records for transaction changes. Browser-origin MCP requests are checked against an allowlist for PocketLedger, Claude, and ChatGPT origins; server-to-server clients that do not send an Origin header continue to work.
Reviewer account
Directory reviewers receive test credentials through the submission form. The reviewer account should contain sample transactions across multiple categories and currencies so read, write, search, undo, and report tools can be exercised end to end.