Skip to content
AuthAction Documentation

MCP Server Authorization

This guide explains how to configure your AuthAction tenant and MCP API Resource server to support dynamic client registration and access, enabling secure and flexible authorization for MCP server use cases.

Example Repository: For a working code example, see the mcp-server-auth-example repository.

Overview

Section titled “Overview”

MCP (Model Context Protocol) servers often require dynamic onboarding of clients and secure API access. AuthAction supports this via:

  • Dynamic Client Registration: Applications can register themselves automatically.
  • Dynamic Client Access: Dynamically registered clients can access the MCP API Resource server automatically.

1. Enable Dynamic Client Registration

Section titled “1. Enable Dynamic Client Registration”

To allow applications to register themselves without manual configuration:

  1. Go to your AuthAction dashboard.
  2. Navigate to Settings > Advanced.
  3. Enable Dynamic Client Registration.

Enable Dynamic Client Registration

When enabled, applications can register themselves automatically. This is especially useful for MCP server scenarios and flexible onboarding.

2. Enable Dynamic Client Access for MCP API Resource Server

Section titled “2. Enable Dynamic Client Access for MCP API Resource Server”

To allow dynamically registered clients to access your MCP API Resource server:

  1. In the AuthAction dashboard, go to Applications > APIs.
  2. Select your MCP API Resource server.
  3. Go to the Dynamic Clients tab.
  4. Enable Dynamic Client Access.

Enable Dynamic Client Access

When enabled, any client that registers itself dynamically will be granted access to this API server.

3. Manage Dynamic Client Connections

Section titled “3. Manage Dynamic Client Connections”

You can control which authentication connections are available to dynamically registered clients for accessing the MCP API Resource server.

Manage Dynamic Client Connections

  • Toggle connections on or off as needed for your use case.

4. Security Considerations

Section titled “4. Security Considerations”
  • Production Caution: Use dynamic client registration and access with caution in production environments. Only enable for trusted scenarios.
  • Connection Control: Restrict which authentication connections are available to dynamic clients for added security.

5. Example: MCP Server Authorization Flow

Section titled “5. Example: MCP Server Authorization Flow”
  1. Dynamic Client Registration: A new client registers itself with the AuthAction tenant.
  2. Dynamic Client Access: The client is automatically allowed to access the MCP API Resource server.
  3. Authentication Connection: The client uses an enabled authentication connection to obtain tokens and access the API.

For implementation details and code, see the mcp-server-auth-example repository.