Skip to content

README.md

Latest commit

 

History

History
96 lines (67 loc) · 4.47 KB

README.md

File metadata and controls

96 lines (67 loc) · 4.47 KB

Simple MCP Authentication Example

Complexity: 🟨 Intermediate

This example demonstrates how to use the NVIDIA NeMo Agent Toolkit with MCP servers that require authentication. You'll authenticate with protected MCP services and access secured tools through OAuth2 flows.

It is recommended to read the MCP Authentication documentation first.

Prerequisites

  1. Agent toolkit: Ensure you have the Agent toolkit installed. If you have not already done so, follow the instructions in the Install Guide to create the development environment and install NeMo Agent Toolkit.
  2. MCP Server: Access to an MCP server that requires authentication (e.g., corporate Jira system)

Note: If you installed NeMo Agent Toolkit from source, MCP client functionality is already included. If you installed from PyPI, you may need to install the MCP client package separately with uv pip install "nvidia-nat[mcp]".

Install this Workflow

Install this example:

uv pip install -e examples/MCP/simple_auth_mcp

Run the Workflow

Authenticated MCP Client

You can run the workflow using authenticated MCP tools. In this case, the workflow acts as an MCP client and connects to a protected MCP server requiring OAuth2 authentication.

Prerequisites:

  1. Set up environment variables: Configure the required environment variables for your OAuth2 server:

    export CORPORATE_MCP_JIRA_URL="https://your-jira-server.com/mcp"

    [!IMPORTANT] Set CORPORATE_MCP_JIRA_URL to your protected Jira MCP server URL, not the sample URL shown above. The sample URL is for demonstration purposes only and will not work with your actual Jira instance.

  2. Start the authentication flow: The first time you run the workflow, it will initiate an OAuth2 authentication flow:

    nat run --config_file examples/MCP/simple_auth_mcp/configs/config-mcp-auth-jira.yml --input "What is ticket AIQ-1935 about"

Follow the browser-based authentication flow to authorize access to the MCP server. 3. Example output:

Workflow Result:
['Ticket AIQ-1935 is about converting the experimental function "mcp_client" to function groups. The changes are documented in PR-814 on GitHub. The ticket is currently in the "Done" status.']

Using the Workflow via FastAPI frontend

  1. Start the workflow:
nat serve --config_file examples/MCP/simple_auth_mcp/configs/config-mcp-auth-jira.yml

  1. Start the UI:

    Start the UI by following the instructions in the Launching the UI guide. Connect to the URL http://localhost:3000.

    [!IMPORTANT] Ensure that WebSocket mode is enabled by navigating to the top-right corner and selecting the WebSocket option in the arrow pop-out. WebSocket connections are required for OAuth authentication workflows.

  2. Send the input to the workflow via the UI:

What is ticket AIQ-1935 about

Authentication Flow

  1. Initial Request: When you first run the workflow, it detects that authentication is required
  2. OAuth2 Redirect: The system opens your browser to the OAuth2 authorization server
  3. User Authorization: You log in and authorize the NeMo Agent Toolkit to access the MCP server
  4. Token Exchange: The system exchanges the authorization code for access and refresh tokens
  5. Authenticated Access: Subsequent requests use the stored tokens to access protected tools
  6. Token Refresh: Tokens are automatically refreshed when they expire

When using websocket mode you will see two authorization prompts, one for setting up the MCP client and one for tool calls. Authorizations for tool calls is done per WebSocket session to limit tool access by user.