io.modelcontextprotocol/oauth-client-credentials) adds support for the OAuth 2.0 client credentials flow to MCP. This enables automated systems to connect to MCP servers without interactive user authorization.
Specification
Full technical specification for the OAuth Client Credentials extension.
What it is
The standard MCP authorization flow requires a user to interactively approve access — a browser opens, the user logs in, and grants permission. That works well for humans, but breaks down when there’s no user present. The OAuth Client Credentials extension solves this by letting a client authenticate using application-level credentials (a client ID and secret, or a signed JWT assertion) rather than delegated user credentials. The client proves its identity directly to the authorization server, which issues an access token without requiring a browser redirect or user interaction.When to use it
Use OAuth Client Credentials when:- Background services need to call MCP tools on a schedule or in response to events, without a user present
- CI/CD pipelines invoke MCP servers as part of automated build, test, or deployment workflows
- Server-to-server integrations connect two backend systems where there’s no end user involved
- Daemon processes or long-running workers need persistent access to MCP resources
How it works
The extension supports two credential formats:JWT Bearer Assertions (recommended)
Defined in RFC 7523, JWT Bearer Assertions let the client sign a token with its private key and present it as proof of identity. The authorization server validates the signature using the client’s registered public key. The JWT assertion typically includes:iss: Client ID (the issuer)sub: Client ID (subject being authenticated)aud: Authorization server token endpoint URLexp: Expiration timeiat: Issued-at time
Client Secrets
For simpler deployments, the extension also supports the standard client credentials flow using aclient_id and client_secret. The client sends its credentials directly to the authorization server’s token endpoint and receives an access token in return.
Implementation guide
For MCP clients
To use the OAuth Client Credentials extension, your client must:Obtain an access token
Request a token from the authorization server using the client credentials grant before connecting to the MCP server.
For MCP servers
To accept client credentials tokens, your server must:Validate the token
On each request, verify the JWT signature and claims against your authorization server’s public keys (usually via a JWKS endpoint).
SDK examples
The official MCP SDKs provide built-in support for client credentials authentication. Both handle token acquisition and refresh automatically.Client support
Support for this extension varies by client. Extensions are opt-in and never active by default.
Related resources
ext-auth repository
Source code and reference implementations
Full specification
Technical specification with normative requirements
RFC 6749 — Client Credentials Grant
The underlying OAuth 2.0 specification
RFC 7523 — JWT Bearer Assertions
JWT assertion format specification