This article helps you identify and solve common issues when connecting an AI client or automation tool to the Sales Layer MCP Server.
Most connection issues are related to one of four areas: the wrong server URL, the wrong authentication method, an incomplete OAuth flow, or a client that does not support the required OAuth 2.0 with PKCE configuration.
Warning: Do not paste your Sales Layer Catalog Token as an API key or bearer token in a remote MCP client. For remote MCP connections, the Catalog Token is entered in the Sales Layer authorization screen during the OAuth flow.
Before troubleshooting
Before changing the configuration, check the basics:
- You are using a client that supports MCP remote servers.
- Your client supports OAuth 2.0 with PKCE.
- You have a valid Sales Layer Catalog Token provided by Sales Layer Support or your Sales Layer account representative.
- You are using the correct Sales Layer MCP Server URL for your setup.
- Browser popups are allowed for the AI client or automation platform you are using.
If you are not sure whether your Catalog Token is valid, contact Sales Layer Support before changing the rest of the configuration.
Check the server URL
A wrong server URL can prevent the client from discovering the MCP tools or starting the OAuth flow.
Use the URL that matches your client and access mode:
| Use case | URL |
|---|---|
| General remote MCP connection | https://mcp.saleslayer.com/mcp |
| Claude Web custom connector | https://mcp.saleslayer.com |
| Explicit read-only access | https://mcp.saleslayer.com/onlyread/mcp |
| Explicit full access | https://mcp.saleslayer.com/full/mcp |
Note: If a client has a specific setup guide, follow the URL shown in that guide. Some clients expect the base server URL, while others expect the MCP endpoint URL.
Check the authentication method
Remote MCP connections use OAuth 2.0 with PKCE. They do not use API key authentication in the client configuration.
Use these rules when configuring authentication:
- Select OAuth 2.0 as the authentication method.
- Use Dynamic discovery when your client supports it.
- If manual configuration is required, use Authorization Code with PKCE.
- Use S256 as the code challenge method.
- Enter the Sales Layer Catalog Token only in the Sales Layer authorization screen.
Reference OAuth endpoints
Use these values only when your client does not support Dynamic discovery and asks for manual OAuth configuration:
| Field | Value |
|---|---|
| Authorization URL | https://mcp.saleslayer.com/oauth/authorize |
| Token URL | https://mcp.saleslayer.com/oauth/token |
| Discovery URL | https://mcp.saleslayer.com/.well-known/oauth-authorization-server |
| Protected resource metadata | https://mcp.saleslayer.com/.well-known/oauth-protected-resource |
| Grant type | Authorization Code with PKCE |
| Code challenge method | S256 |
Common issues and how to fix them
| Issue | Likely cause | What to do |
|---|---|---|
| invalid_token | The Catalog Token was pasted as an API key or bearer token in the MCP client. | Change the authentication method to OAuth 2.0 and enter the Catalog Token only in the Sales Layer authorization screen. |
| 401 Unauthorized | The client is sending no valid OAuth access token, or the OAuth flow was not completed. | Disconnect the server, reconnect it, and complete the OAuth flow again. |
| The authorization window does not open | The browser popup is blocked, or the client cannot start the OAuth flow. | Allow popups for the client domain and try connecting the server again. |
| The Catalog Token field is unclear | The Catalog Token is being confused with the Client ID, Client Secret, API key, or bearer token. | Use the Catalog Token only in the Sales Layer authorization screen. It is not a value for the client configuration fields. |
| PKCE or S256 options are not available | The client version may not support the OAuth configuration required by the Sales Layer MCP Server. | Check whether the client supports Authorization Code with PKCE and Code Challenge Method S256. |
| No Sales Layer tools are available | The server was added but the connection or authorization did not complete correctly. | Disconnect and reconnect the server. Then verify that the authorization flow finishes and redirects back to the client. |
| The client cannot discover the server | The wrong MCP URL was used, or the client expects a different URL format. | Review the setup article for your client and use the exact URL shown there. |
| Read operations work, but updates fail | The connection was created with read-only access. | Use full access only if the client must create or update data and the user understands the impact. |
| Token validation fails in the Sales Layer screen | The Catalog Token may be incorrect, expired, mistyped, or not valid for the expected catalog. | Copy the token again and retry. If it still fails, contact Sales Layer Support. |
| The connection works in one client but not another | Different clients support different MCP and OAuth features. | Check the specific setup article for that client and verify its MCP/OAuth compatibility. |
Issue: invalid_token
This error usually appears when the Catalog Token is used incorrectly. The Catalog Token is not a direct bearer token for https://mcp.saleslayer.com.
To solve it:
- Open the MCP server configuration in your client.
- Remove any API key or bearer token authentication setting.
- Select OAuth 2.0 as the authentication method.
- Use Dynamic discovery if it is available.
- Reconnect the server.
- When the Sales Layer authorization screen opens, enter the Catalog Token there.
Issue: Copilot Studio cannot complete the connection
For Microsoft Copilot Studio, check that the configuration uses OAuth 2.0 and not API key authentication.
If you configure OAuth manually, make sure these values are correct:
- Authorization URL: https://mcp.saleslayer.com/oauth/authorize
- Token URL: https://mcp.saleslayer.com/oauth/token
- Client ID: a stable identifier, for example copilot-studio
- Client Secret: leave empty
- Scope: leave empty
- Grant Type: Authorization Code with PKCE
- Code Challenge Method: S256
If Copilot Studio does not offer PKCE or S256, that version may not be compatible with the Sales Layer MCP Server at this time.
Issue: Claude Web does not connect
For Claude Web, check that you added Sales Layer as a custom connector and used the correct URL:
https://mcp.saleslayer.com
After adding the connector, click Connect. Claude should redirect you to the Sales Layer authorization screen, where you can select the access type and enter the Catalog Token.
If the connection does not complete, try removing the custom connector and adding it again. Also check that browser popups and redirects are allowed.
Issue: n8n or another automation platform returns 401
Some automation platforms may treat the MCP Server as a regular REST API and try to send the Catalog Token as a bearer token. This will not work for a remote MCP connection.
For remote MCP, the platform must support MCP with OAuth 2.0. If your automation platform does not support this, use one of these options:
- Use a supported MCP client with OAuth 2.0.
- Use a local MCP setup if available for your environment.
- Use the Sales Layer REST API directly with the X-API-KEY header if you only need direct API automation and do not need MCP tools.
Note: The Sales Layer REST API and the Sales Layer MCP Server are different integration options. REST API calls use the X-API-KEY header. Remote MCP connections use OAuth 2.0.
Issue: the wrong access mode was selected
The Sales Layer MCP Server can be used with different access profiles. If you select read-only access, the AI client can query and analyze catalog data but cannot create or update information.
If a tool fails because it is trying to modify data, check which access mode was used during the authorization flow.
- Read-only: recommended for analysis, search, reporting, and safe catalog exploration.
- Full access: only use when the AI client needs to create or update catalog data.
If you need to change the access mode, disconnect the MCP Server and connect it again using the correct profile.
What to send to Sales Layer Support
If the issue continues, contact Sales Layer Support and include as much context as possible. This helps the team identify whether the problem is caused by the client configuration, the OAuth flow, or the token validation.
Include the following information:
- The AI client or platform you are trying to connect, for example Claude Web, Microsoft Copilot Studio, ChatGPT, Cursor, VS Code, or n8n.
- The server URL you used.
- The authentication method selected in the client.
- The exact error message shown by the client.
- A screenshot of the error, with sensitive token values hidden.
- Whether the authorization screen opened and whether the redirect back to the client completed.
- Whether you selected read-only or full access.
Never send your full Catalog Token in a screenshot, ticket, or email. If Support needs to validate your access, they will guide you through the correct process.
Best practices
Use Dynamic discovery whenever your MCP client supports it. This reduces the risk of entering OAuth endpoints incorrectly.
Keep your Catalog Token secure and enter it only in the Sales Layer authorization screen. Do not paste it into Client ID, Client Secret, API key, or bearer token fields.
Start with read-only access when the goal is to search, analyze, or audit catalog data. Use full access only for trusted workflows that need to modify data.
If a platform does not support MCP with OAuth 2.0 and PKCE, use the Sales Layer REST API directly for headless automations instead of forcing a remote MCP setup.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article