The Sales Layer MCP Server uses OAuth 2.0 with PKCE for authentication. It does not use API keys or static bearer tokens for the MCP connection. If API key is selected as the authentication method, or if the Sales Layer Catalog Token is used directly as a bearer token against https://mcp.saleslayer.com, the connection will be rejected with an invalid_token error.
Before you start
Before configuring the MCP Server in Copilot Studio, make sure you have access to your Sales Layer Catalog Token. This token will be requested later in the Sales Layer authorization screen.
Do not paste the Catalog Token as an API key or as a bearer token in the Copilot Studio connector configuration. The Catalog Token is used inside the OAuth authorization flow, not as the authentication method of the connector itself.
Recommended setup
If your version of Microsoft Copilot Studio offers Dynamic discovery, use that option first. This lets Copilot Studio detect the OAuth configuration automatically and reduces the risk of manual configuration errors.
- In Microsoft Copilot Studio, open the screen to add a new Model Context Protocol server.
- In the authentication method, select OAuth 2.0.
- If available, select Dynamic discovery.
- Configure the basic server parameters shown below.
Field | Value |
|---|---|
Server name | Sales Layer MCP |
Server description | MCP Server for PIM "Sales Layer" |
Server URL | https://mcp.saleslayer.com/mcp |
Authentication | OAuth 2.0 |
Manual OAuth configuration
If Dynamic discovery is not available in your version of Copilot Studio, configure OAuth 2.0 manually using the following values.
Field | Value |
|---|---|
Authorization URL | https://mcp.saleslayer.com/oauth/authorize |
Token URL | https://mcp.saleslayer.com/oauth/token |
Client ID | A stable client identifier, for example copilot-studio |
Client Secret | Leave empty |
Scope | Leave empty |
Grant Type | Authorization Code with PKCE |
Code Challenge Method | S256 |
Important: The manual Client ID is not the Sales Layer Catalog Token. It is only a stable identifier for the client. The Catalog Token is entered later, in the Sales Layer authorization screen.
Authentication flow
After the MCP Server has been configured correctly, Copilot Studio will start the authentication flow.
- When you connect the server, Copilot Studio opens a browser window.
- A Sales Layer form appears and asks for your Catalog Token.
- Enter the Catalog Token for your Sales Layer catalog.
- Sales Layer validates the token.
- After validation, you are redirected back to Copilot Studio.
- The connection is established and the MCP tools become available.
The Catalog Token is used only inside the Sales Layer OAuth flow. It should not be pasted as a bearer token or API key in the connector configuration.
Compatibility requirement
The Sales Layer MCP Server requires PKCE with the S256 method. PKCE stands for Proof Key for Code Exchange and is a required security standard for this connection.
If your version of Microsoft Copilot Studio does not allow you to configure Authorization Code with PKCE as the grant type and S256 as the code challenge method, it may not be compatible with the Sales Layer MCP Server at this time.
Reference endpoints
Use the following endpoints for advanced configuration or troubleshooting.
Endpoint | URL |
|---|---|
Server MCP | https://mcp.saleslayer.com/mcp |
OAuth Authorization | https://mcp.saleslayer.com/oauth/authorize |
OAuth Token | https://mcp.saleslayer.com/oauth/token |
OAuth Discovery | https://mcp.saleslayer.com/.well-known/oauth-authorization-server |
OAuth Protected Resource | https://mcp.saleslayer.com/.well-known/oauth-protected-resource |
Troubleshooting
Issue | Cause | What to do |
|---|---|---|
invalid_token | The configuration is using API key authentication, or the Catalog Token is being sent as a bearer token against https://mcp.saleslayer.com. | Change the authentication method to OAuth 2.0 and complete the Sales Layer authorization flow. |
The Catalog Token field is unclear | The Catalog Token is being confused with the Client ID or Client Secret. | Use a stable identifier such as copilot-studio as the Client ID, leave the Client Secret empty, and enter the Catalog Token only in the Sales Layer authorization screen. |
PKCE or S256 options are not available | The Copilot Studio version may not support the required OAuth configuration. | Check whether your version supports Authorization Code with PKCE and Code Challenge Method S256. |
Best practices
Use Dynamic discovery whenever it is available in Copilot Studio. If manual configuration is required, review each OAuth field carefully before connecting. Keep the Sales Layer Catalog Token secure and enter it only in the Sales Layer authorization screen. Do not paste it into the Client ID, Client Secret, API key, or bearer token fields.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article