Connecting SpotDraft's MCP Server to Microsoft Copilot Studio
Last updated: July 13, 2026
OAuth setup via the MCP onboarding wizard
Note: this article uses mcp.us.spotdraft.com as a reference. Depending on the region your workspace is located in, you will be required to use one of the follow region-specific MCP URLs:
If you're unsure which region your workspace belongs to, please contact SpotDraft Support or reach out to your CSM.
Overview
Copilot Studio's Tools page has a built-in MCP onboarding wizard (Add a tool → New tool → Model Context Protocol) that supports three OAuth 2.0 configuration modes: Dynamic discovery, Dynamic, and Manual. SpotDraft's MCP server at mcp.us.spotdraft.com implements the standard OAuth discovery and Dynamic Client Registration (DCR) endpoints, which makes Dynamic discovery the mode to use — Copilot Studio performs the entire discovery-and-registration flow itself, so no client ID, client secret, or manual curl commands need to be collected up front.
This document covers: verifying discovery support, running the wizard, two open questions around auth-method negotiation and callback handling, and a Manual-mode fallback if Dynamic discovery doesn't complete end to end.
Step 1: Confirm discovery support
Run these against the MCP server and its authorization server to confirm discovery is exposed correctly:
curl -s https://mcp.us.spotdraft.com/.well-known/oauth-protected-resource
Expected response:
{"resource":"https://mcp.us.spotdraft.com",
"authorization_servers":["https://api.us.spotdraft.com"],
"resource_name":"SpotDraft MCP Server",
"resource_documentation":"https://github.com/SpotDraft/spotdraft-mcp"}
curl -s https://api.us.spotdraft.com/.well-known/oauth-authorization-server
Expected response (trimmed):
{"issuer": "https://api.us.spotdraft.com/api/v1/oauth",
"authorization_endpoint": "https://app.spotdraft.com/auth/login",
"token_endpoint": "https://api.us.spotdraft.com/api/v1/oauth/token/",
"scopes_supported": ["contracts:read", "openid"],
"token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
"registration_endpoint": "https://api.us.spotdraft.com/api/v1/oauth/register/"}
The presence of registration_endpoint is what makes Dynamic discovery viable. If this field is missing, drop to Manual mode (Step 4).
Step 2: Add the MCP server via the onboarding wizard
In the target agent, go to Tools → Add a tool → New tool → Model Context Protocol.
Fill in Server name, Server description, and Server URL:
https://mcp.us.spotdraft.com/mcp.Under authentication, select OAuth 2.0.
Select Dynamic discovery as the OAuth 2.0 type.
Select Create.
At this point Copilot Studio fetches the protected-resource metadata, fetches the authorization-server metadata, and registers itself as a client against https://api.us.spotdraft.com/api/v1/oauth/register/ — all internally, without surfacing a registration step or requiring any values to be pasted in.
Select Next. The Add tool dialog appears.
Select Create a new connection (or reuse an existing one), then Add to agent.
No fields for Authorization URL, Token URL, Client ID, Client Secret, or Scopes appear in this mode — Copilot Studio resolves all of them from discovery.
Known gotcha 1: token endpoint auth method
The authorization server's metadata lists token_endpoint_auth_methods_supported as both client_secret_post and client_secret_basic, but registering a client against /api/v1/oauth/register/ returns client_secret_basic in the response regardless of what's requested in the registration payload. If Copilot Studio's internal DCR client assumes or requests client_secret_post for the token exchange, this mismatch could surface as an auth error — most likely during the sign-in step right after clicking Create, or the first time the agent tries to invoke a tool from the server.
There's no documented way to override which auth method Copilot Studio requests in Dynamic discovery mode. If the flow fails here, Manual mode (Step 4) sidesteps the ambiguity, since the auth method is fixed at registration time rather than negotiated per-request.
Known gotcha 2: callback URL handling is unconfirmed for this mode
Copilot Studio's Dynamic and Manual modes explicitly surface a callback URL after clicking Create, which then needs to be added to the identity provider's client registration. Microsoft's documentation doesn't show an equivalent callback URL step for Dynamic discovery — the implication is that Copilot Studio passes its own callback URL as part of the registration request it makes internally, so there's nothing to copy over manually.
This is inferred from the absence of a documented step, not confirmed behavior. It's the first thing worth checking if sign-in fails silently or redirects to an error page.
Step 3 (fallback): Manual mode, if Dynamic discovery doesn't work
Manual mode requires a client to already exist. Register one directly:
curl -s -X POST https://api.us.spotdraft.com/api/v1/oauth/register/ \
-H "Content-Type: application/json" \
-d '{"client_name":"Copilot Studio",
"redirect_uris":["<placeholder, update after wizard generates the real callback>"],
"grant_types":["authorization_code","refresh_token"],
"response_types":["code"],
"token_endpoint_auth_method":"client_secret_post"}'
The response contains a client_id and client_secret (save both — the secret is shown once). Note that the registration endpoint doesn't document an update mechanism for redirect_uris after the fact, so the placeholder above may need to be replaced by re-registering once the real callback URL is known from Step 2 below, rather than editing the existing registration in place. Worth confirming with SpotDraft's API docs before relying on this.
In the wizard, select OAuth 2.0 → Manual.
Fill in:
Field | Value |
|---|---|
Client ID | from the registration response above |
Client secret | from the registration response above |
Authorization URL |
|
Token URL template |
|
Refresh URL | same as Token URL, unless SpotDraft documents a separate refresh endpoint |
Scopes |
|
Select Create. A callback URL appears — this is the value the placeholder redirect URI above needs to be replaced with.
Re-register (or update, if SpotDraft's API supports it) the client with the real callback URL.
Select Next, then Create a new connection and Add to agent.
Reference: Dynamic discovery vs. Manual
Dynamic discovery | Manual | |
|---|---|---|
Registration | Automatic, handled internally per connection | Manual curl, run once ahead of time |
Fields entered in the wizard | None | Client ID, Client Secret, Auth URL, Token URL, Refresh URL, Scopes |
Callback URL | Not surfaced (assumed handled internally) | Surfaced after Create; requires updating the client registration afterward |
Transport | Streamable HTTP only (SSE dropped post–Aug 2025) | Streamable HTTP only |
Recommend testing Dynamic discovery against a sandbox/dev agent first, since both known gotchas above are inferred from documentation gaps rather than confirmed against SpotDraft's server directly.