orchestrator

latest

false

Getting started
- Introduction
- Orchestrator feature availability
- Licensing
- Robots
  - Robot Statuses
  - Robot Settings
- Auto Updating Client Components
- Time-to-live Periods
- Orchestrator outbound IP ranges
- Autopilot Chat in Orchestrator
- Notifications
Best practices
- Organization Modeling in Orchestrator
- Automation Best Practices
- Optimizing Unattended Infrastructure Using Machine Templates
- Unattended automation
- Organizing Resources With Tags
- Exporting grids in the background
  - The exported report
- Enforcing user-level Integration Service connection governance
Tenant
- About the Tenant Context
- Searching for Resources in a Tenant
- Robots
- Folders
- Monitoring
- Access control
- Configuring automation capabilities
- Machines
- Solutions
- Packages
- Audit
- Credential Stores
- Webhooks
  - Types of Events
  - Managing Webhooks
- Licensing
  - Managing Your Licenses
- Settings
Registry
- About the Registry context
- Solution deployments
- Processes
- Resources
Cloud robots
- Cloud robots overview
- Unified Pricing licensing
- Flex licensing
- Elastic Robot Orchestration
- Automation Cloud™ Robots - VM
- Automation Cloud™ Robots - Serverless
- Configuring VPN for cloud robots
- Configuring an ExpressRoute connection
- Live streaming and remote control
- My notifications
Automation Suite Robots
- About Automation Suite Robots
- Executing Unattended Automations With Automation Suite Robots
- Regenerating Client Secrets
- Frequently Asked Questions
Folders Context
- About the Folders Context
- Home
Processes
- About Processes
- Managing Processes
- Managing Package Requirements
- Recording
- Live streaming and remote control
  - Live streaming and remote control via RealVNC
    - Error scenarios
  - Live streaming and remote control via TightVNC
    - Error scenarios
Jobs
- About Jobs
- Managing Jobs
- Job States
- Working with long-running workflows
- Running Personal Remote Automations
- Process Data Retention Policy
Apps
- About Apps
- Publishing an App to a Tenant
- Managing Apps
- Running a Deployed App from a Folder
Triggers
- About triggers
- Managing triggers
- Managing Non-Working Days
- Using Cron Expressions
  - Triggering jobs on the last day of the month
Logs
- About Logs
- Managing Logs in Orchestrator
- Logging Levels
Monitoring
- About Monitoring
- Machines
- Agents
- Processes
- Queues
- Indexes
- Queues SLA
Indexes
- About indexes
- Managing indexes
Queues
- About Queues and Transactions
- Bulk uploading Queue Items using a CSV file
- Managing Queues in Orchestrator
- Managing Queues in Studio
- Managing Transactions
  - Editing Transactions
  - Field Descriptions for the Transactions .csv File
- Review Requests
Assets
- About Assets
- Managing Assets in Orchestrator
- Managing Assets in Studio
- Storing Assets in Azure Key Vault (read only)
- Storing Assets in HashiCorp Vault (read only)
- Storing Assets in AWS Secrets Manager (read only)
- Storing Assets in Google Secret Manager (read only)
Connections
- About Connections
- Managing Connections
Business Rules
- About Business Rules
  - Permissions for Business Rules
- Managing Business Rules
  - Creating a business rule
Storage Buckets
- About Storage Buckets
  - CORS/CSP Configuration
- Managing Storage Buckets
MCP Servers
- About MCP Servers
- MCP Server types
- Managing MCP Servers
- MCP Server authentication
  - Authenticating with the MCP OAuth flow
  - Authenticating with a personal access token
  - Authenticating with an external application
  - Authenticating with interactive login (CLI)
  - Ground-to-cloud authentication
  - Troubleshooting MCP Server authentication
- MCP compliance guidelines
Orchestrator testing
- FAQ - Deprecating the testing module
  - FAQ - Migrating test artifacts to Test Manager
  - FAQ - Feature parity - Test Manager vs Orchestrator
- Test Automation
- Test Cases
  - Field Descriptions for the Test Cases Page
- Test Sets
  - Field Descriptions for the Test Sets Page
- Test Executions
  - Field Descriptions for the Test Executions Page
- Test Schedules
  - Field Descriptions for the Test Schedules Page
- Test Data Queues
- Testing Data Retention Policy
Resource Catalog Service
- About Resource Catalog Service
Integrations
- About Input and Output Arguments
  - Example of Using Input and Output Arguments
Troubleshooting
- About Troubleshooting
- Alerts troubleshooting
- General troubleshooting
- Frequently Encountered Orchestrator Errors

Orchestrator user guide

Last updated May 22, 2026

DELIVERY:

Troubleshooting MCP Server authentication

This page covers common errors when authenticating to UiPath MCP Servers.

401 Unauthorized

Token expired

The most common cause is an expired token. Re-authenticate:

uipath auth
uipath auth

Wrong URL format

Verify that all URL segments are correct:

https://cloud.uipath.com/{org}/{tenant}/agenthub_/mcp/{folderKey}/{slug}
https://cloud.uipath.com/{org}/{tenant}/agenthub_/mcp/{folderKey}/{slug}

Where:

{org}: your UiPath organization name
{tenant}: your tenant name
{folderKey}: the folder's GUID
{slug}: the MCP Server's slug name

Token from wrong identity provider

If you see audience validation errors in the logs, the token was likely issued for a different service. Verify that you authenticated against the correct UiPath Cloud instance.

403 Forbidden

External app or user not assigned to folder

The required fix depends on which scopes the external app has.

App has Application scopes (with or without User scopes)

Assign the app to the folder containing the MCP Server:

Open the folder in Orchestrator.
Navigate to Manage Access > Assign.
Search for your external app.
Assign the external app with the Automation User role.

App has only User scopes

The app itself cannot be assigned to the folder. Searching for it in Manage Access returns no results, because Orchestrator only lists apps with Application scopes. Instead, assign the user who logs in through the app:

Open the folder in Orchestrator.
Navigate to Manage Access > Assign.
Search for the user who will log in through the external app.
Assign the user with the Automation User, Automation Developer, or Folder Administrator role.

Missing OR.Default scope

If you request a token with only specific OR.* scopes (for example, OR.Execution or OR.Jobs) without including OR.Default, the token bypasses folder-level role resolution and grants access across all folders within the tenant. Orchestrator still requires the X-UIPATH-FolderKey header on every API call.

Current MCP Servers versions handle this automatically. On older versions, this may result in failed Orchestrator calls. To avoid this issue, include OR.Default as the only scope in your token request and rely on folder role-based access instead.

GetFoldersForCurrentUser returns 403 with client credentials

This is expected behavior. The GetFoldersForCurrentUser Orchestrator API does not support client credential authentication. To work around this, set the UIPATH_FOLDER_KEY environment variable to bypass the folder resolution call.

400 Bad Request: invalid_scope

Using machine credentials instead of external app credentials

This is the most common cause of invalid_scope errors. Machine credentials are for robot authentication, not for API access.

To fix this:

Go to Admin > External Apps (not Orchestrator > Machines).
Select Add Application.
Enter a name and keep the Confidential app type.
Select the Application scope(s) tab.
Add OR.Execution, and add OR.Jobs if needed for Coded or Command servers.
Select Add, then copy the new Client ID and Client secret.

Re-authenticate using the new credentials:

uipath auth --client-id "<new-client-id>" \
    --client-secret "<new-client-secret>" \
    --base-url "https://cloud.uipath.com/{org}/{tenant}" \
    --scope "OR.Default"
uipath auth --client-id "<new-client-id>" \
    --client-secret "<new-client-secret>" \
    --base-url "https://cloud.uipath.com/{org}/{tenant}" \
    --scope "OR.Default"

MCP client OAuth flow fails

Callback URL not whitelisted

UiPath Identity Server requires callback URLs to be pre-whitelisted for Dynamic Client Registration (DCR). If your MCP client's callback URL is not whitelisted, the DCR step fails.

VS Code with GitHub Copilot currently works without additional configuration. Support for additional clients (Claude Desktop, Cursor, ChatGPT) is being progressively added.

.well-known discovery routing issue

Some MCP clients (such as Copilot Studio and OpenAI clients) probe /.well-known/openid-configuration at the root domain instead of following the resource_metadata URL from the WWW-Authenticate header. When this probe hits cloud.uipath.com/.well-known/openid-configuration, it returns an HTML 200 page instead of a proper 404, which breaks the client's discovery logic.

This is a known routing issue. If you encounter it, contact UiPath support for the latest status.

Was this page helpful?

PREVIOUSGround-to-cloud authentication

NEXTMCP compliance guidelines

Orchestrator user guide

401 Unauthorized​

Token expired​

Wrong URL format​

Token from wrong identity provider​

403 Forbidden​

External app or user not assigned to folder​

Missing OR.Default scope​

GetFoldersForCurrentUser returns 403 with client credentials​

400 Bad Request: invalid_scope​

Using machine credentials instead of external app credentials​

MCP client OAuth flow fails​

Callback URL not whitelisted​

.well-known discovery routing issue​