Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Auth for MCP: Secure MCP servers using OAuth

Auth for MCP: Secure MCP servers using OAuth

Learn how to secure MCP servers using Ouath and Auth0

Avatar for Deepu K Sasidharan

Deepu K Sasidharan

October 01, 2025
Tweet

More Decks by Deepu K Sasidharan

Other Decks in Programming

Transcript

  1. @auth0 | @deepu105 | deepu.tech ➔ JHipster co-chair ➔ Creator

    of KDash, JDL Studio, JWT UI ➔ Developer Advocate @ Auth0 ➔ OSS aficionado, polyglot dev, Java Champion, author, speaker Hi, I’m Deepu K Sasidharan @[email protected] deepu.tech @deepu105.bsky.social deepu05
  2. @auth0 | @deepu105 | deepu.tech • Standardized in MCP spec

    • MCP clients and servers can use OAuth to delegate authorization • MCP servers are resource servers • Built-in Security Baseline (PKCE by default) • Simplified Connections (Metadata Discovery) • Seamless Onboarding (Dynamic Client Registration - DCR) • Leveraging Your Existing Identity Infrastructure (Third-Party Auth) Authorization using OAuth 2.1.
  3. @auth0 | @deepu105 | deepu.tech # Install the MCP server

    npx @auth0/auth0-mcp-server init # Select scopes and authorize # Configure the MCP server in Goose goose configure # Add extension > command line # Name: auth0 # command: npx -y @auth0/auth0-mcp-server run --tools * # Env: DEBUG: auth0-mcp Setup
  4. @auth0 | @deepu105 | deepu.tech # Prompts ## Create Auth0

    application Create a new Auth0 web app application named ‘My Web App’, with a Callback URL http://localhost:3000/callback and an Allowed Logout URL http://localhost:3000 and make sure it is OIDC compliant and set the JWT to use alg RS256 ## Get app details Get the auth0 app #ID Manage Auth0 Apps
  5. @auth0 | @deepu105 | deepu.tech # Prompts ## Create Auth0

    application Create a new Auth0 web app application named ‘My Web App’, with a Callback URL http://localhost:3000/callback and an Allowed Logout URL http://localhost:3000 and make sure it is OIDC compliant and set the JWT to use alg RS256 ## Get app details Get the auth0 app #ID Get logs