You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps.mdx
+12Lines changed: 12 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -132,6 +132,18 @@ This policy will allow requests if they present a valid OAuth access token that
132
132
133
133
## 5. Configure the MCP server
134
134
135
+
With the policy in place, every API request to the self-hosted application must now include a valid `access_token` from Cloudflare Access. You will need to configure the MCP server to forward the `access_token` in an HTTP request header:
136
+
137
+
```txt
138
+
Authorization: Bearer ACCESS_TOKEN
139
+
```
140
+
141
+
The end-to-end authorization flow is as follows:
142
+
1. The MCP server authenticates against the Access for SaaS app via OAuth.
143
+
2. Upon success, the MCP server receives an `access_token`.
144
+
3. The MCP server makes an API request to the self-hosted application with the token in the request headers.
145
+
4. Cloudflare Access intercepts the request to the self-hosted app, inspects the token, and validates it against the `linked_app_token` rule in the policy.
146
+
5. If the token is valid and was issued for the linked SaaS app, the request is allowed. Otherwise, it is blocked.
0 commit comments