zuora.com
Zuora provides subscription billing, payments, and related order-to-revenue platform services. It also offers Zephr, a product for digital subscription experiences and entitlement management.
Zuora exposes a Billing REST API with OAuth or legacy API-key auth, a remote MCP server authenticated with OAuth 2.0, and the Zephr Admin API authenticated by HMAC key pairs.
- Zuora MCP Server (remote)discovered
- Zuora Billing REST APIdiscovered
- Zephr Admin APIdiscovered
Have a Zuora tenant administrator create an OAuth client for a user in the Zuora UI / OneID. Zuora's getting-started guide points to OAuth client setup steps, and the REST auth docs say to create an OAuth client in the Zuora UI before calling the token endpoint. Store the resulting client_id and client_secret, then exchange them for a bearer token with grant type client_credentials at https://one.zuora.com/oauth2/token or the tenant REST /oauth/token endpoint as documented in Get started and OAuth.
Create a dedicated API user in your Zuora tenant with the needed permissions, then use that user's legacy API access credentials. The Zuora Billing REST spec documents this legacy auth using request headers apiAccessKeyId and apiSecretAccessKey, and links to Create an API User for setup. See the auth section in the Billing OpenAPI spec.
In OneID, go to Create OAuth 2.0 credentials for remote MCP client. An administrator opens Settings > Manage OAuth 2.0 Clients, clicks + New, selects grant type Authorization Code, type MCP Client, application type Billing, and enters the client-specific redirect URI. Save and securely store the displayed Client ID and Client Secret. Zuora's detected OAuth endpoints are https://one.zuora.com/oauth2/authorize and https://one.zuora.com/oauth2/token. Create one OAuth client per MCP agent/client as recommended by Zuora.
In the Zephr admin console, open your admin user settings and go to Key Pairs, then click Issue Key Pair as described in HMAC request signing and key pair. Save the displayed Access Key and Secret Key immediately because the secret cannot be recovered later. Requests to the Zephr Admin API are signed in the Authorization header as ZEPHR-HMAC-SHA256 ... using this key pair.
conventions · 1/8 published
- integrations.json✗
/.well-known/integrations.json - llms.txt✗
/llms.txt - API catalog✗
/.well-known/api-catalog - OpenAPI document✗
/api/schema/, /openapi.json, /swagger.json, /api/openapi.json, or /v1/openapi.json - MCP server card✗
/.well-known/mcp/server-card.json - OAuth protected resource✓https://zuora.com/.well-known/oauth-protected-resource
- Agent card✗
/.well-known/agent-card.json - Agent skills✗
/.well-known/agent-skills/index.json
Publish these signals → /publishing