You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/agents/model-context-protocol/authorization.mdx
+12-6Lines changed: 12 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -75,7 +75,13 @@ sequenceDiagram
75
75
76
76
Remember — [authentication is different from authorization](https://www.cloudflare.com/learning/access-management/authn-vs-authz/). Your MCP Server can handle authorization itself, while still relying on an external authentication service to first authenticate users. The [example](/agents/guides/remote-mcp-server) in getting started provides a mock authentication flow. You will need to implement your own authentication handler — either handling authentication yourself, or using an external authentication services.
77
77
78
-
### (2) Third-party OAuth Provider
78
+
### (2) Cloudflare Access integration
79
+
80
+
You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/identity/idp-integration/) or a [one-time PIN](/cloudflare-one/identity/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/policies/access/).
81
+
82
+
To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/).
83
+
84
+
### (3) Third-party OAuth Provider
79
85
80
86
The [OAuth Provider Library](https://github.com/cloudflare/workers-oauth-provider) can be configured to use a third-party OAuth provider, such as GitHub or Google. You can see a complete example of this in the [GitHub example](/agents/guides/remote-mcp-server/#add-authentication).
81
87
@@ -122,7 +128,7 @@ sequenceDiagram
122
128
123
129
Read the docs for the [Workers oAuth Provider Library](https://github.com/cloudflare/workers-oauth-provider) for more details.
124
130
125
-
### (3) Bring your own OAuth Provider
131
+
### (4) Bring your own OAuth Provider
126
132
127
133
If your application already implements an OAuth Provider itself, or you use [Stytch](https://stytch.com/), [Auth0](https://auth0.com/), [WorkOS](https://workos.com/), or authorization-as-a-service provider, you can use this in the same way that you would use a third-party OAuth provider, described above in (2).
128
134
@@ -196,7 +202,7 @@ function requirePermission(permission, handler) {
196
202
status:403
197
203
};
198
204
}
199
-
205
+
200
206
// If permission check passes, execute the handler
201
207
returnhandler(request, context);
202
208
};
@@ -208,7 +214,7 @@ async init() {
208
214
this.server.tool("basicTool", "Available to all users", {}, async () => {
209
215
// Implementation for all users
210
216
});
211
-
217
+
212
218
// Protected tool using the permission wrapper
213
219
this.server.tool(
214
220
"adminAction",
@@ -221,7 +227,7 @@ async init() {
221
227
};
222
228
})
223
229
);
224
-
230
+
225
231
// Conditionally register tools based on user permissions
226
232
if (this.props.permissions?.includes("special_feature")) {
0 commit comments