DOCS-1534 - MCP and OAuth docs

[kimsauce]

Purpose of this pull request

Introduces a new preview doc, OAuth client setup, and updates to existing MCP Server doc. Includes structural and AEO/GEO improvements made during review.

MCP Server doc

• Full setup instructions for three MCP clients: ChatGPT, Claude Code CLI, and VS Code
• Authorization Code OAuth flow for ChatGPT and Claude Code CLI
• Client Credentials OAuth flow for VS Code
• Client-specific authentication sections (not global)
• Available MCP tools reference (alerts, dashboards, Cloud SIEM, log search, user management)
• Example workflows, usage guidance, cost controls, and security/data governance sections
• FAQ as ### headings (AEO/GEO optimization)
• ## Additional resources section with demo walkthrough link
• Official MCP logo added in Sumo Logic brand blue (static/img/icons/mcp-logo.svg)

OAuth Client Setup doc — new doc:

• Covers both OAuth 2.0 flows: Authorization Code and Client Credentials
• How permissions work (intersection of roles and scopes)
• Service account setup and OAuth client creation
• Token generation with deployment endpoint guidance
• Security best practices and service account content ownership sections
• FAQ as ### headings (AEO/GEO optimization)

Revisions per SME review (kdwink):

• Removed "You'll need a paid ChatGPT account" note — free accounts now support MCP servers
• Updated UI path from "Administration > Security > OAuth" to "Administration > Security > OAuth Clients"
• VS Code screenshots pending (Keith providing updated images)

Select the type of change

• Minor Changes - Typos, formatting, slight revisions
• Update Content - Revisions, updating sections
• New Content - New features, sections, pages, tutorials
• Site and Tools - .clabot, version updates, maintenance, dependencies, new packages for the site (Docusaurus, Gatsby, React, etc.)

Ticket (if applicable)

https://sumologic.atlassian.net/browse/DOCS-1534

[ganano]

Took a first pass through the docs.

[kimsauce]

Hi @ganano , thanks for the thorough review! Here's what I addressed based on your feedback:

docs/api/mcp-server.md

• Removed the Client Credentials flow sections from the Claude Code CLI setup. Auth Code flow is now the only documented path for Claude. VS Code remains on Client Credentials.
• Added --scope user / --scope project options to the claude mcp add command in the Auth Code flow setup, matching the pattern used for Client Credentials. Updated the launch step to note that user scope (recommended) works from any directory.
• Added the deployment domain tip after the MCP Server URL in the ChatGPT section, consistent with the tips that already existed for VS Code and the (now-removed) Client Credentials options.

docs/manage/security/oauth.md

• Simplified the Auth Code flow section per your suggestion... removed the manual curl steps (Authorize, Exchange, Refresh) and replaced them with a note about the .well-known/oauth-authorization-server discovery endpoint, and a tip about the permissions intersection model (user roles ∩ client scopes ∩ requested scopes).
• Changed service.sumologic.com → api.sumologic.com in the API call examples (token usage example and the APIs FAQ), and added deployment tips pointing to the endpoints reference page.
• Updated the deployment placeholder in the "Discovering endpoints programmatically" tip to be consistent with the rest of the doc.
• Scoped the "Protect client secrets" security practice to call out Client Credentials as the higher-risk case; noted that clientSecret in Auth Code flow carries less risk.
• Updated the revoke access FAQ to cover Auth Code flow: revoking Authorization Consent causes the next token refresh to fail (current token stays valid until expiry).
• Added a new FAQ: "What happens if a user's roles change in Authorization Code flow?" — covers how role changes take effect at next token refresh for both restrictions and expansions.

One thing I wasn't sure about, your line 49 comment mentioned adding a tip about how permissions are calculated specifically for Auth Code. I added that as a :::tip block in the "Complete the OAuth flow" section. Let me know if the wording captures it correctly or if the intersection should be described differently.