Skip to content

Commit 3ad99b0

Browse files
authored
[MCP] Add Cloudflare Access as an authorization method (#24373)
* add Access to Agents MCP docs * link to example
1 parent 7e44dc2 commit 3ad99b0

File tree

1 file changed

+12
-6
lines changed

1 file changed

+12
-6
lines changed

src/content/docs/agents/model-context-protocol/authorization.mdx

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,13 @@ sequenceDiagram
7575

7676
Remember — [authentication is different from authorization](https://www.cloudflare.com/learning/access-management/authn-vs-authz/). Your MCP Server can handle authorization itself, while still relying on an external authentication service to first authenticate users. The [example](/agents/guides/remote-mcp-server) in getting started provides a mock authentication flow. You will need to implement your own authentication handler — either handling authentication yourself, or using an external authentication services.
7777

78-
### (2) Third-party OAuth Provider
78+
### (2) Cloudflare Access integration
79+
80+
You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/identity/idp-integration/) or a [one-time PIN](/cloudflare-one/identity/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/policies/access/).
81+
82+
To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/).
83+
84+
### (3) Third-party OAuth Provider
7985

8086
The [OAuth Provider Library](https://github.com/cloudflare/workers-oauth-provider) can be configured to use a third-party OAuth provider, such as GitHub or Google. You can see a complete example of this in the [GitHub example](/agents/guides/remote-mcp-server/#add-authentication).
8187

@@ -122,7 +128,7 @@ sequenceDiagram
122128

123129
Read the docs for the [Workers oAuth Provider Library](https://github.com/cloudflare/workers-oauth-provider) for more details.
124130

125-
### (3) Bring your own OAuth Provider
131+
### (4) Bring your own OAuth Provider
126132

127133
If your application already implements an OAuth Provider itself, or you use [Stytch](https://stytch.com/), [Auth0](https://auth0.com/), [WorkOS](https://workos.com/), or authorization-as-a-service provider, you can use this in the same way that you would use a third-party OAuth provider, described above in (2).
128134

@@ -196,7 +202,7 @@ function requirePermission(permission, handler) {
196202
status: 403
197203
};
198204
}
199-
205+
200206
// If permission check passes, execute the handler
201207
return handler(request, context);
202208
};
@@ -208,7 +214,7 @@ async init() {
208214
this.server.tool("basicTool", "Available to all users", {}, async () => {
209215
// Implementation for all users
210216
});
211-
217+
212218
// Protected tool using the permission wrapper
213219
this.server.tool(
214220
"adminAction",
@@ -221,7 +227,7 @@ async init() {
221227
};
222228
})
223229
);
224-
230+
225231
// Conditionally register tools based on user permissions
226232
if (this.props.permissions?.includes("special_feature")) {
227233
this.server.tool("specialTool", "Special feature", {}, async () => {
@@ -231,7 +237,7 @@ async init() {
231237
}
232238
```
233239
234-
Benefits:
240+
Benefits:
235241
- Authorization check at the tool level ensures proper access control
236242
- Allows you to define permission checks once and reuse them across tools
237243
- Provides clear feedback to users when permission is denied

0 commit comments

Comments
 (0)