Home

Documentation

Documentation

MCP Server Setup

If your resource app also exposes an MCP (Model Context Protocol) server, test it alongside the REST API in the XAA Playground.

Requirements

  1. Implement MCP protocol: use StreamableHTTP transport (recommended)
  2. Accept Bearer tokens: same Authorization: Bearer <token> format as your REST API
  3. Validate tokens: from the same Auth Server (playground or your own)

How MCP Fits in the XAA Flow

The MCP server uses the same access token obtained through the standard XAA 4-step flow. The only difference is Step 4: instead of calling a REST endpoint, the requesting app connects to the MCP server.

Steps 1-3: Same as REST (SSO → Token Exchange → JWT Bearer Grant) Step 4: Access Token → MCP Server (instead of REST API)

Registration

When registering your resource via Test Your Resource App, enable the "This resource also has an MCP server" checkbox in Wizard Step 4 and provide:

  • MCP Server URL: the StreamableHTTP endpoint (e.g., https://your-resource.example.com/mcp)
  • MCP Resource URIs: the MCP resource URIs your server exposes (e.g., myapp://files)

Minimal MCP server examples

Protected Resource Metadata (RFC 9728)

RFC 9728 lets LLM agents (and other OAuth clients) auto-discover your Authorization Server without pre-configuration. Your MCP server must implement two things:

1. Publish a metadata document at /.well-known/oauth-protected-resource:

JSON
Match the wizard registration exactly

The resource value — and the aud claim your JWT middleware validates against — must match the URL you entered in Wizard Step 1 exactly, including the presence or absence of a trailing slash. The Auth Server does not normalize URLs, so a mismatch here produces invalid_token — unexpected "aud" claim value.

2. Include a WWW-Authenticate discovery hint on every 401 response:

http

When an agent receives this challenge, it fetches the metadata URL, reads authorization_servers[0], and performs discovery on that Auth Server (via /.well-known/oauth-authorization-server or /.well-known/openid-configuration) to find the token endpoint, completing the full XAA flow automatically.

Playground compliance

The built-in Todo0 MCP server and REST API both implement RFC 9728 fully. Your BYOR resource should too if you want agents to connect to it without manual configuration.

Token Scopes for MCP

MCP resources use the same scopes as your REST API. When registering your resource, you can optionally define separate MCP-specific scopes if your MCP server requires different permissions than the REST endpoints.

Next step

Ready to test? Open Test Your Resource App, register your server (enable the MCP checkbox in Wizard Step 4), and run the 4-step XAA flow against it. See the Testing Guide for a detailed walkthrough.

XAA
xaa.dev

Social

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein.

Presented byOkta Developer

Copyright © 2026 Okta. All rights reserved.