Hanzo
PlatformHanzo IAMConnecting to IAMMCP

MCP authentication

OAuth discovery and authentication methods for the MCP server.

OAuth discovery

Hanzo IAM supports RFC 9728 OAuth 2.0 Protected Resource Metadata so MCP clients can discover auth requirements. Query the well-known endpoint:

curl https://your-iam.com/.well-known/oauth-protected-resource

The response indicates which OAuth authorization server protects the MCP resource:

```json
{
  "resource": "https://your-iam.com",
  "authorization_servers": ["https://your-iam.com"],
  "bearer_methods_supported": ["header"],
  "scopes_supported": ["openid", "profile", "email"]
}

For application-specific discovery, append the application name:

```bash
curl https://your-iam.com/.well-known/my-app/oauth-protected-resource

This returns metadata scoped to that specific application, useful when different applications have different authorization requirements.

## Authentication Methods

MCP requests must use one of the auth methods in [Public API authentication](/docs/basic/public-api). The authentication method you choose affects which tools you can access.

**Using an access token with scopes** (recommended for automation):

```bash
curl -X POST https://your-iam.com/api/mcp \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Access tokens enforce scope-based authorization. The tools you can use depend on the scopes granted when the token was issued. This approach lets you create tokens with limited permissions for specific tasks.

**Using client credentials** (for service accounts):

```bash
curl -X POST https://your-iam.com/api/mcp \
  -u "CLIENT_ID:CLIENT_SECRET" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

**Using session authentication** (for interactive use):

Session-based authentication through browser cookies grants access to all tools without scope restrictions. This method is intended for interactive use and maintains compatibility with existing workflows.

## Handling Unauthenticated Requests

Unauthenticated requests receive a JSON-RPC error response with a `WWW-Authenticate` header pointing to the OAuth protected resource metadata:

```json
{
  "jsonrpc": "2.0",
  "id": 1,
  "error": {
    "code": -32001,
    "message": "Unauthorized",
    "data": "Unauthorized operation"
  }
}

The response includes a `WWW-Authenticate: Bearer realm="/.well-known/oauth-protected-resource"` header, allowing compliant OAuth clients to automatically discover the authorization server configuration.

How is this guide?

Last updated on

MCP server overview

Use Hanzo IAM’s MCP server for programmatic access via JSON-RPC 2.0.

MCP authorization and scopes

Scope-based access control for MCP tools.

On this page

OAuth discovery