Overview

OAuth2 authentication lets you secure your MCP Server with delegated, user-based access. This approach is ideal for APIs that require robust security and fine-grained permissions, allowing users to authenticate with their own credentials and control access using provider-specific scopes.

Quick Start: OAuth2 Example

  1. Deploy your MCP Server and copy the endpoint URL from your deployment list.

    MCP Server deployment list

  2. Create an OAuth2 app (confidential client) in your provider’s developer portal (e.g., GitHub, Google, etc.).
    • Set the redirect URI to: 
      https://<tfy-control-plane-base-url>/api/svc/v1/llm-gateway/mcp-servers/oauth2/callback
      Replace <tfy-control-plane-base-url> with your TrueFoundry control plane URL.
    • Note your OAuth2 App ID, Secret, and required scopes.
  3. Register your MCP Server in the AI Gateway:
    • In the MCP Servers tab, click Add New MCP Server Group.

      MCP Server registration interface

    • Click Add MCP Server and provide:
      • Endpoint URL: The URL of your deployed MCP Server
      • Authentication Type: Select OAuth2
      • OAuth2 App ID: The client ID from your OAuth2 app
      • OAuth2 App Secret: The client secret from your OAuth2 app
      • OAuth2 App Scopes: The required scopes for accessing provider resources

      Adding a new MCP Server

Tip: For enhanced security, store your OAuth2 credentials in the TrueFoundry secrets store and reference their FQN in your configuration.

Using OAuth2 Authentication in the Playground

You can use the AI Gateway Playground to test and interact with your MCP Server using LLMs and tools.

  1. Click Add Tool/MCP Servers in the Playground.
  2. For MCP Servers using OAuth2, click Connect Now to authorize the AI Gateway with your credentials.

    Authorize your MCP Server in Playground

    • You can revoke your OAuth2 authorization at any time through the AI Gateway.

      Revoke your OAuth2 authorization

  3. Once authentication is successful, your MCP Server’s tools will appear in the list.

    MCP Server listed after authentication

  4. Select the tools you want to use and click Done.

When to Use OAuth2 Authentication

  • When APIs require delegated, user-based access
  • For production or sensitive data where robust authentication is needed
  • When you want to leverage provider-specific scopes and permissions

Security Best Practices

Security Features

  • OAuth2 authentication uses the provider’s secure implementation for user authorization
  • Access tokens are securely stored and managed by the AI Gateway
  • Users can only access resources they are authorized to use
  • Users can revoke their own OAuth2 authorization at any time through the AI Gateway
  • Scopes can be configured to restrict access (e.g., read-only access)

Note: Support for OAuth 2.0 Dynamic Client Registration is coming soon to AI Gateway’s MCP servers. This will allow AI agents and clients to register and authenticate with MCP servers automatically at runtime, making integration more scalable and secure.