MCP Server Authentication Overview
This document provides an overview of the authentication methods available for MCP servers that you deploy through MCP-Cloud.ai. Understanding these options will help you secure your MCP server and implement the right authentication strategy for your use case.
Authentication Methods
MCP servers support three primary authentication methods:
- API Key Authentication - Simple token-based authentication for programmatic access
- Client Authentication - For applications with multiple users or for website/mobile integration
- Server-to-Server Authentication - For secure backend-to-backend communication
API Key Authentication
API keys are long-lived tokens that provide access to your MCP server. They are the simplest way to authenticate and are ideal for:
- Development and testing
- Personal projects
- Server-to-server communication
- CI/CD pipelines
- Internal tools
Each MCP server you deploy comes with a primary API key. You can also create additional API keys with different permission scopes.
Authorization: Bearer mcp_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Advantages of API Keys
- Simple to implement
- No expiration (unless you set one)
- Can be rotated/refreshed as needed
- Minimal overhead
Limitations of API Keys
- Cannot easily be limited to specific users
- No built-in expiration
- Must be securely stored
- Simpler permission model
Learn more about API key authentication in the API Key Authentication guide.
Client Authentication
When building applications with multiple users, you'll likely need more sophisticated authentication. MCP servers support several options for client authentication:
Session-Based Authentication
For web applications, you can implement session-based authentication:
- Your application authenticates users through your own auth system
- Your backend creates a session with the MCP server for that user
- The client receives a short-lived token to use directly with the MCP server
This approach allows for per-user tracking and permissions without exposing your main API key.
OAuth 2.0
For more complex scenarios, MCP servers support OAuth 2.0 integration:
- Allow users to authorize your application to use their MCP server
- Implement fine-grained permission scopes
- Handle token refresh and expiration
- Track usage per user
OAuth is particularly useful for third-party integrations or multi-tenant applications.
Learn more about client authentication in the Client Authentication guide.
Security Best Practices
Regardless of which authentication method you choose, follow these security practices:
API Key Security
- Store API keys in environment variables, not in code
- Never expose API keys in client-side code
- Use a secrets manager for production deployments
- Rotate keys periodically
- Use the most restricted key possible for each use case
Request Security
- Always use HTTPS for all MCP server communication
- Implement rate limiting in your application
- Set appropriate timeouts
- Handle authentication errors gracefully
- Log authentication failures for security monitoring
User Management
- Implement proper user authentication in your application
- Create separate sessions/tokens for each user
- Revoke access when users log out or accounts are deleted
- Set appropriate session timeouts
- Use refresh tokens for long-lived access
Choosing the Right Authentication Method
Select your authentication method based on your use case:
| Use Case | Recommended Authentication |
|---|---|
| Personal project | API key authentication |
| Server-to-server | API key authentication |
| Web application | Session-based authentication |
| Mobile app | Session-based or OAuth |
| Third-party integration | OAuth 2.0 |
| Multi-tenant SaaS | OAuth 2.0 |
Authentication Flow Examples
Simple API Key Authentication Flow
┌─────────────┐ ┌─────────────┐
│ │ │ │
│ Client │ │ MCP Server │
│ │ │ │
└──────┬──────┘ └──────┬──────┘
│ │
│ Request with API Key in Header │
│ Authorization: Bearer mcp_sk_xxx │
│ ─────────────────────────────────────► │
│ │
│ │
│ │
│ Response │
│ ◄───────────────────────────────────── │
│ │
Session-Based Authentication Flow
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ │ │ │ │ │
│ User │ │ Your App │ │ MCP Server │
│ │ │ │ │ │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
│ 1. Login │ │
│ ──────────────────► │ │
│ │ │
│ 2. App auth │ │
│ ◄────────────────── │ │
│ │ │
│ │ 3. Create Session │
│ │ ──────────────────► │
│ │ │
│ │ 4. Session Token │
│ │ ◄───────────────── │
│ │ │
│ 5. Session Token │ │
│ ◄────────────────── │ │
│ │ │
│ │ │
│ 6. Request with Session Token │
│ ─────────────────────────────────────────►│
│ │ │
│ 7. Response │ │
│ ◄─────────────────────────────────────────│
│ │ │
OAuth 2.0 Flow
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ │ │ │ │ │
│ User │ │ Your App │ │ MCP Server │
│ │ │ │ │ │
└──────┬──────┘ └──────┬──────┘ └──────┬──────┘
│ │ │
│ │ 1. Register App │
│ │ ──────────────────► │
│ │ │
│ │ 2. Client ID/Secret│
│ │ ◄───────────────── │
│ │ │
│ 3. Access App │ │
│ ──────────────────► │ │
│ │ │
│ 4. Redirect to OAuth │
│ ◄────────────────── │ │
│ │ │
│ 5. Auth Request │ │
│ ─────────────────────────────────────────►│
│ │ │
│ 6. Auth Consent │ │
│ ◄─────────────────────────────────────────│
│ │ │
│ 7. Approve │ │
│ ─────────────────────────────────────────►│
│ │ │
│ 8. Redirect with Code │
│ ◄─────────────────────────────────────────│
│ │ │
│ 9. Code │ │
│ ──────────────────► │ │
│ │ │
│ │ 10. Exchange Code │
│ │ ──────────────────► │
│ │ │
│ │ 11. Access Token │
│ │ ◄───────────────── │
│ │ │
│ 12. API Access │ │
│ ──────────────────► │ │
│ │ │
│ │ 13. API Request │
│ │ ──────────────────► │
│ │ │
│ │ 14. Response │
│ │ ◄───────────────── │
│ │ │
│ 15. Results │ │
│ ◄────────────────── │ │
│ │ │
Troubleshooting
Common authentication issues and their solutions:
| Issue | Possible Cause | Solution |
|---|---|---|
| 401 Unauthorized | Invalid API key | Check for typos, verify the key is active |
| 403 Forbidden | Insufficient permissions | Request a key with appropriate scopes |
| Token expired | Session timeout | Implement token refresh or reauthenticate |
| Rate limiting | Too many requests | Implement backoff strategy, request higher limits |
mcp-cloud.ai