Skip to content

Model Context Protocol (MCP) server authorization

Just like APIs, MCP (Model Context Protocol) servers need fine-grained access control so that only authorized users can access the tools they expose. Asgardeo provides robust support for securing MCP servers, letting you configure access policies and monitor how users and applications interact with them.

Register an MCP server

Organization administrators can define their MCP servers and configure scopes to enable fine-grained access control to the MCP server tools.

To register an MCP server,

  1. On the Asgardeo Console, go to Resources > MCP Servers.

  2. Click + New MCP Server to register a new MCP server.

    New MCP server wizard

  3. Enter the following details and click Next.

    Parameter Description
    Identifier This value will be used as the aud attribute in the issued JWT token. Although any value is acceptable, it's recommended to use the URI of the MCP server.
    Display Name A meaningful name to identify your MCP server in Asgardeo.

  4. In the Scopes tab, enter the following details and click Add Scope. Repeat this for all scopes.

    Parameter Description
    Scope (Permission) Maps to an action in your MCP server. This value should match the scopes requested by your application.
    Display Name A meaningful name for your scope (permission). This will be displayed on your application's user consent page.
    Description A description for your scope (permission). This will be displayed on your application's user consent page.

  5. Once done, click Create to complete the MCP server registration.

Authorize apps to access MCP servers

Applications, by default, don't have permissions to access MCP servers. Administrators can selectively grant authorization for applications to use specific MCP servers, so that users logging into the application will have access to that MCP server, provided they're assigned to a role that grants the necessary permissions.

Note

Currently MCP servers can only be authorized to applications that are created from the MCP client Application template.

To authorize an application to consume an MCP server,

  1. On the Asgardeo Console, go to Applications.

  2. Select the MCP client application and go to its Authorization tab.

  3. Click Authorize a resource.

  4. Enter the following details:

    Parameter Description
    Resource Select the MCP server from the list of resources
    Authorized Scopes Select the scopes that the MCP client should be able to request.

  5. Click Finish.

    Successfully authorized an API resource in the app