Home MCP Connectivity

MCP Connectivity

By Lahiru Himesh Madusanka
2 articles

Connecting Timether to AI tools with the MCP Server

Timether provides a hosted MCP server that lets compatible AI tools connect to your Timether workspace securely. MCP stands for Model Context Protocol. It is a standard way for AI tools and assistants to access approved data and actions from connected apps. With Timether MCP, supported AI tools can help you work with workspace data such as projects, clients, time entries, timesheets, invoices, expenses, members, and reports, depending on your role and granted permissions. Timether MCP server URL The hosted Timether MCP server is available at: https://api.timether.com/mcp This is the endpoint MCP-compatible clients use when connecting to Timether. Plan requirements Timether MCP access is available to active workspaces on: - Team - Business The workspace must include the public_api_access entitlement. MCP access is not available on Free or Solo Pro workspaces. If your workspace does not support public API access, MCP clients will not be able to connect. How MCP authorization works Timether MCP uses a secure OAuth authorization-code flow. When an MCP client connects to Timether, you will be sent to Timether in your browser to sign in and approve access. Login and consent are handled through: https://app.timether.com During consent, you select one eligible workspace. After approval, the connection is bound to that selected workspace. This means the MCP client can only access the workspace you approved. Workspace-bound access MCP connections are scoped to a single workspace. If you belong to multiple workspaces, the MCP client does not automatically receive access to all of them. You choose one workspace during the consent step, and the issued tokens are tied to that workspace. This helps keep workspace data separated and prevents accidental access to the wrong workspace. For example, if you approve access to your agency workspace, the MCP client cannot use that same connection to access your personal workspace. Supported access scopes Timether MCP supports the following OAuth scopes: - timether:read - timether:write - timether:admin The scope controls what level of access the MCP client can request. A read-only connection can retrieve information. A write-enabled connection can perform supported changes. Admin-level access is reserved for higher-permission operations and may depend on your workspace role. What data and tools are available Timether MCP exposes explicit tools for approved workspace actions. Depending on your role, plan, billing state, and granted scopes, an MCP client may be able to work with areas such as: - Workspace context - Members and invites - Clients - Projects - Tags - Timers - Time entries - Timesheets - Expenses - Invoices - Settings - Email preferences - Notifications - Audit logs - Data portability Available tools may differ depending on the connected user’s permissions. What is not exposed through MCP For safety, some sensitive operations are not available through MCP tools. Timether does not expose MCP tools for: - Authentication bootstrap - API token management - Zapier connection flows - Browser extension connection flows - Integration events - Webhook subscriptions - Payment-provider credentials These areas must be managed through the Timether app or the relevant integration flow. How Timether keeps MCP access safe Timether filters MCP tools based on several checks. Tool access can depend on: - OAuth scope - Workspace role - Plan entitlement - Billing state - Current workspace capabilities This means an MCP client only receives access to actions that are allowed for the connected user and workspace. If your role or workspace plan does not allow a certain action, the tool will not be available or the request will be rejected. Managing MCP connections You can review and revoke OAuth connections from: Account → Integrations If you no longer use an AI tool or want to remove its access, revoke the connection from this page. Once revoked, the client will no longer be able to use that Timether connection. When access may stop working An MCP connection may stop working if: - The connection is revoked - The workspace is downgraded - The workspace no longer has public_api_access - Your membership becomes inactive - Your account is disabled - The workspace is no longer active - The MCP feature is disabled If access stops unexpectedly, check your workspace plan, account status, and integrations page.

Last updated on Jun 19, 2026

Timether MCP authorization and security

Timether MCP uses a secure OAuth-based connection flow so compatible AI tools can access approved workspace data without asking for your password. This article explains how authorization works, how workspace access is selected, and how Timether protects connected MCP sessions. Authorization discovery MCP clients can discover Timether’s authorization details from: https://api.timether.com/.well-known/oauth-protected-resource/mcp This discovery endpoint tells compatible clients how to start the authorization process for Timether MCP. Login and consent When an MCP client connects to Timether, the login and consent flow is handled in the browser through: https://app.timether.com You may be asked to sign in if you are not already logged in. After signing in, you will choose the workspace you want to connect and approve the requested access. Workspace selection during consent During the consent step, you select one eligible workspace. The MCP connection is then bound to that workspace. This means the issued access and refresh tokens can only be used for the selected workspace and the Timether MCP resource. The MCP resource audience is: https://api.timether.com/mcp This prevents the same token from being used for unrelated resources. Supported scopes Timether MCP supports three OAuth scopes: timether:read timether:write timether:admin The requested scopes control what the MCP client is allowed to do. timether:read allows read-style operations, such as viewing workspace data. timether:write allows supported write operations, such as creating or updating approved records. timether:admin allows higher-level administrative actions where the connected user and workspace permissions allow it. The exact tools available still depend on your workspace role, plan, billing state, and current capabilities. PKCE requirement Timether MCP requires OAuth authorization-code flow with S256 PKCE. PKCE adds protection to the authorization flow, especially for public clients that cannot safely store a client secret. Only S256 PKCE is supported. This means clients must generate a secure code verifier and send the matching S256 code challenge during authorization. Public client support Timether supports public OAuth clients for MCP. The authorization server supports: - Client ID Metadata Documents - Dynamic Client Registration This allows compatible MCP clients to register and connect without requiring a manually issued confidential client secret. Redirect URI rules Redirect URIs must use HTTPS. HTTP redirects are only allowed for loopback redirects used by local native clients. This allows desktop or local tools to complete secure local authorization flows while keeping browser-based and hosted clients on HTTPS. Consequential operation confirmations Some MCP actions can make important changes to workspace data. For safety, consequential operations use a two-step confirmation flow. The first call returns a one-time confirmation token. That token is valid for five minutes. To complete the action, the MCP client must repeat the same arguments with the confirmation token. This helps prevent accidental or unintended changes. Safe retries with idempotency keys Additive write operations can accept an idempotency_key. This helps clients safely retry requests without accidentally creating duplicate records. If a completed result is already cached for the same idempotency key, Timether can return the completed result instead of performing the same operation again. This is useful for network retries and automation workflows. Revoking MCP access You can revoke MCP OAuth connections from: Account → Integrations After revocation, the MCP client can no longer use that connection. Revoking a connection is recommended if: - You no longer use the AI tool - You connected the wrong workspace - A device or client may be compromised - You want to reset access - You want to reconnect with different permissions Access checks after connection Timether continues checking access after a connection is created. A token may be rejected later if: - The token was revoked - The user account is disabled - The membership becomes inactive - The workspace is downgraded - The workspace no longer has public_api_access - The workspace billing state prevents access - The requested action is no longer allowed This keeps MCP access aligned with the current workspace stat

Last updated on Jun 19, 2026