Connecting SpotDraft's MCP Server to Gemini Enterprise
Last updated: July 8, 2026
OAuth setup for the Custom MCP Server data store in Gemini Enterprise
Overview
Gemini Enterprise's "Create data store → Custom MCP Server" wizard needs OAuth details (Authorization URL, Token URL, Client ID, Client Secret, Scopes) to connect to SpotDraft's MCP server. SpotDraft's MCP server implements the standard OAuth discovery and dynamic client registration endpoints, so all of these values can be pulled with curl instead of being requested from anyone manually.
region-specific note: SpotDraft's MCP server and OAuth endpoints are region-specific. Replace {REGION} in all URLs with your region (e.g., us, in, me). Example: mcp.us.spotdraft.com .
If you're unsure which Region your workspace belongs in, contact your CSM or SpotDraft Support.
This document covers: discovering the OAuth endpoints, registering Gemini Enterprise as an OAuth client, and mapping the results into the Gemini Enterprise form.
Step 1: Discover the authorization server metadata
Query the authorization server identified above for its OAuth endpoints:
curl -s https://api.{REGION}.spotdraft.com/.well-known/oauth-authorization-server
Response (trimmed to the relevant fields):
{"issuer": "https://api.{REGION}.spotdraft.com/api/v1/oauth",
"authorization_endpoint": "https://app.{REGION}.spotdraft.com/auth/login",
"token_endpoint": "https://api.{REGION}.spotdraft.com/api/v1/oauth/token/",
"scopes_supported": ["contracts:read", "openid"],
"token_endpoint_auth_methods_supported": ["client_secret_post", "client_secret_basic"],
"registration_endpoint": "https://api.{REGION}.spotdraft.com/api/v1/oauth/register/"}
The presence of registration_endpoint means SpotDraft supports Dynamic Client Registration (RFC 7591) — Gemini Enterprise can be registered as an OAuth client on the fly, no manual app creation needed.
Step 3: Register Gemini Enterprise as an OAuth client
Gemini Enterprise's fixed OAuth callback for custom MCP server data stores is:
https://vertexaisearch.cloud.google.com/oauth-redirect
Register a client with that redirect URI:
curl -s -X POST https://api.{REGION}.spotdraft.com/api/v1/oauth/register/ \
-H "Content-Type: application/json" \
-d '{
"client_name": "Gemini Enterprise",
"redirect_uris": ["https://vertexaisearch.cloud.google.com/oauth-redirect"],
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code"],
"token_endpoint_auth_method": "client_secret_post"
}'
The response contains a client_id and client_secret:
{"client_id":"IN_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"client_secret":"<secret>",
"client_id_issued_at":..., "client_secret_expires_at":0,
"client_name":"Gemini Enterprise",
"redirect_uris":["https://vertexaisearch.cloud.google.com/oauth-redirect"],
"grant_types":["authorization_code"],
"response_types":["code"],
"token_endpoint_auth_method":"client_secret_basic"}
Save the client_id and client_secret — the secret is only shown once.
Step 4: Fill in the Gemini Enterprise form
In Gemini Enterprise: Connected data stores → Create data store → Custom MCP Server → Add MCP server → MCP Server Configuration → Authentication settings. Use these values:
Field | Value |
|---|---|
MCP Server URL | https://mcp.{REGION}.spotdraft.com/mcp |
Authorization URL | https://app.{REGION}.spotdraft.com/auth/login |
Authorization URL Parameters | (leave blank) |
Token URL | https://api.{REGION}.spotdraft.com/api/v1/oauth/token/ |
Client ID | <from registration response> |
Client Secret | <from registration response> |
Scopes | openid contracts:read |
After entering these, click Login and complete the SpotDraft sign-in, then continue through the remaining wizard steps (description, region, name) to create the data store.
Known gotcha: token endpoint auth method
The registration response above returned token_endpoint_auth_method: "client_secret_basic", meaning the token endpoint expects the client_id/client_secret in an HTTP Basic Auth header, not in the POST body — even though the registration request asked for client_secret_post. If Gemini Enterprise's OAuth client always sends credentials via client_secret_post and there is no setting to change this, the token exchange step may fail with an auth error.
If that happens, re-run the registration curl command with the auth method spelled out and confirm the field is honored, or check whether the Login step in Gemini Enterprise still succeeds despite the mismatch — SpotDraft's server may accept both methods regardless of what the registration record states.
Reference: full curl sequence
# 1. Find the authorization server
curl -s https://mcp.{REGION}.spotdraft.com/.well-known/oauth-protected-resource
# 2. Get its OAuth endpoints
curl -s https://api.{REGION}.spotdraft.com/.well-known/oauth-authorization-server
# 3. Register Gemini Enterprise as a client
curl -s -X POST https://api.{REGION}.spotdraft.com/api/v1/oauth/register/ \
-H "Content-Type: application/json" \
-d '{"client_name":"Gemini Enterprise",
"redirect_uris":["https://vertexaisearch.cloud.google.com/oauth-redirect"],
"grant_types":["authorization_code","refresh_token"],
"response_types":["code"],
"token_endpoint_auth_method":"client_secret_post"}'