MCP Server Authentication
Truefoundry allows you add MCP servers with the following authentication mechanisms: No Auth, Header Auth and OAuth2.
No Auth
In this case, the authentication server can be accessed by anyone. This can be the case for demo APIs, or APIs that can be public like a Calculator MCP Server or Deepwiki MCP server(https://mcp.deepwiki.com/mcp)
This is not recommended for any production MCP server or servers that provide access to some data.
Header Auth
Header-based authentication allows you to secure your MCP Server by requiring a specific API key or token in the request headers. This method is ideal for APIs that use static credentials for access control.
For example, the Hugging Face MCP server follows Header Auth which requires your HuggingFace token to be sent in the header of the request.
Header Based Auth are used by MCP servers that don’t support user-specific authentication methods like Oauth2 and instead have a static API key or token. In this case, all users calling the MCP server will use the same token.
OAuth2
OAuth2 authentication lets you secure your MCP Server with delegated, user-based access. In this case, every user will have their own token and the MCP server will grant access to only the resources that the user has access to.
Oauth2 is supported by many of the popular MCP servers like Slack, Github, Atlassian, etc. You can also add Oauth authentication to your MCP servers you build using the flow mentioned below.
Quick Start: OAuth2 Example
- Deploy your MCP Server and copy the endpoint URL from your deployment list.
MCP Server deployment list
- Create an OAuth2 app (confidential client) in your provider’s developer portal (e.g., GitHub, Google, etc.).
- Set the redirect URI to:
Replace
<tfy-control-plane-base-url>with your TrueFoundry control plane URL. - Note your OAuth2 App ID, Secret, and required scopes.
- Set the redirect URI to:
- Register your MCP Server in the AI Gateway:
- In the MCP Servers tab, click Add New MCP Server Group.
MCP Server registration interface
- Click Add MCP Server and provide:
- Endpoint URL: The URL of your deployed MCP Server
- Authentication Type: Select OAuth2
- OAuth2 App ID: The client ID from your OAuth2 app
- OAuth2 App Secret: The client secret from your OAuth2 app
- OAuth2 App Scopes: The required scopes for accessing provider resources
Adding a new MCP Server
- In the MCP Servers tab, click Add New MCP Server Group.
Tip: For enhanced security, store your OAuth2 credentials in the TrueFoundry secrets store and reference their FQN in your configuration.
Using OAuth2 Authentication
You can use the AI Gateway or MCP Gateway API to test and interact with your MCP Server using LLMs and tools.
- Click Add Tool/MCP Servers in the AI Gateway UI.
- For MCP Servers using OAuth2, click Connect Now to authorize the AI Gateway with your credentials.
Authorize your MCP Server in AI Gateway
- You can revoke your OAuth2 authorization at any time through the AI Gateway.
Revoke your OAuth2 authorization
- You can revoke your OAuth2 authorization at any time through the AI Gateway.
- Once authentication is successful, your MCP Server’s tools will appear in the list.
MCP Server listed after authentication
- Select the tools you want to use and click Done.
When to Use OAuth2 Authentication
Choose OAuth2 Authentication when:
- APIs require delegated, user-based access unlike header authentication which uses common credentials.
- You need provider-specific scopes and permissions. OAuth2 allows you to configure scopes to restrict access (e.g., read-only), unlike header authentication.
- OAuth2 allows users to revoke their own authorization, and users can only access resources they are permitted to use.
- Access tokens are securely stored and managed by the AI Gateway.
Note: Support for OAuth 2.0 Dynamic Client Registration is coming soon to AI Gateway’s MCP servers. This will allow AI agents and clients to register and authenticate with MCP servers automatically at runtime, making integration more scalable and secure.