Core Concepts
1 min read
Core Concepts
Concept | Description |
|---|---|
Origin MCP server | A backend MCP server that exposes capabilities for a source system such as Outlook, Confluence, Salesforce, FactSet, Jira, or an internal API. |
MCP connector | The administrative representation of an origin server in Unique. Admins register the URL, review tools, configure prompts, and refresh tool definitions. |
MCP Server Admin | A delegated user who can configure one assigned MCP connector without tenant-wide connector admin powers. |
Space restriction | A connector-level allowlist that controls which Spaces/Assistants can see, assign, and use an origin MCP server. |
Virtual server | A curated MCP endpoint created from selected tools across one or more approved origins. It has its own slug, lifecycle, URL, access list, and OAuth configuration. |
MCP client | An AI application that connects to MCP servers, including Unique Chat, Claude, Copilot, ChatGPT Enterprise, Cursor, Gemini, or a customer-built assistant. |
Hub OAuth | The inbound authentication layer that verifies the user or client before tool calls are accepted by a virtual server. |
Downstream OAuth | The per-user authentication flow between the hub and origin systems. The hub stores and applies these credentials without exposing them to the MCP client. |
How Requests Flow
Client discovers metadata. The MCP client reads well-known OAuth and protected-resource metadata for the virtual server slug.
User signs in. The user authenticates through the hub identity provider, typically Zitadel, using OAuth with PKCE.
Hub resolves policy. The hub checks that the virtual server is published, enabled, and that the user has connect access.
Tool call is routed. The hub maps the virtual tool to its origin server, injects the correct user credentials, and relays the call.