Guides

Setting up Auth0 as an Authentication Server for MCP OAuth Authentication

In this guide, you'll learn how to configure Auth0 as an Authorization Server for use with the MCP Server handler. See the MCP Server Handler docs for instructions on how to configure your Zuplo gateway to support OAuth authentication for your MCP Server.

This guide will assume that you already have a working Auth0 account and tenant.

This guide is an example of how you can set up your Auth0 tenant for MCP OAuth support. It is recommended that you consult the Auth0 documentation for more information.

Create an Auth0 API

First, you will need to create an Auth0 API. This API will be used to represent your MCP Server.

In the Auth0 dashboard, navigate to the Applications > APIs section and click Create API.
Set the Name to something like "MCP Server" and the Identifier to the canonical URL of your MCP Server. For example, if your MCP Server is hosted at https://my-gateway.zuplo.dev/mcp, then the identifier would be https://my-gateway.zuplo.dev/mcp. The trailing slash isn't required.
Leave the Signing Algorithm as RS256 and click Create.

Configure the Connection

Next, you will need to configure an Auth0 Connection for your API.

Click the Authentication tab in the left hand sidebar.
Click the type of Authentication connection you would like to use. For this tutorial, we will use the default Database Username-Password-Authentication connection. If you aren't using the default database connection, then create a new connection of the type you want to use and configure it with your desired settings. Click the Try Connection button to make sure that it's working. Note the Identifier of the connection. You will need this in one of the next steps.
Promote the connection that you would like to use for your MCP Client authentication to be a domain level connection. To do this, you will need to use the Auth0 management API. You will need to create an Auth0 Management API token with the update:connections scope. You can obtain one by following this Auth0 doc.

Follow the Promote Connections to Domain Level Auth0 doc to promote your connection to a domain level connection. You will need the connection ID from step 2, as well as the Auth0 Management API token from step 3.

For example using curl:

Code
curl --request PATCH \
--url 'https://your-auth0-domain.us.auth0.com/api/v2/connections/CONNECTION_ID' \
--header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data '{ "is_domain_connection": true }'

Enable Resource Parameter Compatibility Profile. See the Auth0 tenant settings docs for more information.

After completing these changes to your Auth0 tenant, you will need to enable CIMD or DCR (or both) on your Auth0 tenant.

Enable CIMD for MCP OAuth

To use CIMD for MCP OAuth authentication, do the following:

In the Auth0 dashboard, navigate to the tenant settings in Settings on the left hand sidebar.
Navigate to the Advanced tab.
Scroll down to the Settings section and check the toggle for Client ID Metadata Document (CIMD) Registration.
Register the MCP clients via their public CIMD client data metadata URL by clicking "Create Application" and then "Import from URL". Note that for all the MCP clients you want to support, you will need to obtain the metadata URL and register each application individually.

See the official Auth0 docs for more information.

Enabling DCR for MCP OAuth

To use DCR for MCP OAuth authentication, do the following:

In the Auth0 dashboard, navigate to the tenant settings in Settings on the left hand sidebar.
Navigate to the Advanced tab.
Scroll down to the Settings section and check the toggle for Dynamic Client Registration (DCR). Also ensure that the Enable Application Connections toggle is checked.

See the official Auth0 docs for more information.

Configure OAuth on Zuplo

To set up your gateway to support OAuth authentication for your MCP Server, you will need to do the following:

Create an OAuth policy on your MCP Server route. This policy will need to have the option "oAuthResourceMetadataEnabled": true, for example:


Code
{
  "name": "mcp-oauth-inbound",
  "policyType": "oauth-inbound",
  "handler": {
    "export": "Auth0JwtInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "auth0Domain": "my-auth0-domain.us.auth0.com",
      "audience": "https://my-mcp-audience",
      "oAuthResourceMetadataEnabled": true
    }
  }
}

Add the OAuth policy to the MCP Server route. For example:


Code
"paths": {
  "/mcp": {
    "post": {
      "x-zuplo-route": {
        // etc. etc.
        // other properties and route handlers for MCP

        "policies": {
          "inbound": [
            "mcp-oauth-inbound"
          ]
        }
      }
    }
  }
}

Add the OAuthProtectedResourcePlugin to your runtimeInit function in the zuplo.runtime.ts file:


Code
import {
  RuntimeExtensions,
  OAuthProtectedResourcePlugin,
} from "@zuplo/runtime";

export function runtimeInit(runtime: RuntimeExtensions) {
  runtime.addPlugin(
    new OAuthProtectedResourcePlugin({
      authorizationServers: ["https://your-auth0-domain.us.auth0.com"],
      resourceName: "My MCP OAuth Resource",
    }),
  );
}

See the OAuth Protected Resource Plugin docs for more details.

See the MCP Server Handler docs for more details.

Testing

Use the MCP Inspector, a developer focused tool for building MCP servers, to quickly and easily test out your MCP server:

Code
npx @modelcontextprotocol/inspector

To connect to your remote Zuplo MCP server in the Inspector UI:

Set the Transport Type to "Streamable HTTP"
Set the URL to your Zuplo gateway with the route used by the MCP Server Handler (that is, https://my-gateway.zuplo.dev/mcp)
You will need to login using the OAuth flow using the Open Auth Settings button.
Hit Connect.

For debugging your OAuth configuration, hit the Open Auth Settings button in the Inspector UI to start the OAuth flow. When first setting up the OAuth flow, it's recommmended to use the Guided OAuth Flow which you will see when you open the OAuth settings. This will allow you to debug the flow step by step.

You should be able to hit the Continue button in the Inspector UI at each step of the flow successfully. If you need more help debugging, see Testing OAuth on Zuplo.

When testing CIMD authentication, you will need an MCP client with a CIMD compatible client metadata URL. Currently, MCP Inspector does not have this, so it is recommended that you test with another client like the Claude Code CLI (Client Metadata URI as of May 2026 is https://claude.ai/oauth/claude-code-client-metadata).

Edit this page

Last modified on May 15, 2026

OpenAI Apps SDK Okta Setup

Code

curl --request PATCH \
--url 'https://your-auth0-domain.us.auth0.com/api/v2/connections/CONNECTION_ID' \
--header 'authorization: Bearer MGMT_API_ACCESS_TOKEN' \
--header 'cache-control: no-cache' \
--header 'content-type: application/json' \
--data '{ "is_domain_connection": true }'

Code

{
  "name": "mcp-oauth-inbound",
  "policyType": "oauth-inbound",
  "handler": {
    "export": "Auth0JwtInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "auth0Domain": "my-auth0-domain.us.auth0.com",
      "audience": "https://my-mcp-audience",
      "oAuthResourceMetadataEnabled": true
    }
  }
}

Code

"paths": {
  "/mcp": {
    "post": {
      "x-zuplo-route": {
        // etc. etc.
        // other properties and route handlers for MCP

        "policies": {
          "inbound": [
            "mcp-oauth-inbound"
          ]
        }
      }
    }
  }
}

Code

import {
  RuntimeExtensions,
  OAuthProtectedResourcePlugin,
} from "@zuplo/runtime";

export function runtimeInit(runtime: RuntimeExtensions) {
  runtime.addPlugin(
    new OAuthProtectedResourcePlugin({
      authorizationServers: ["https://your-auth0-domain.us.auth0.com"],
      resourceName: "My MCP OAuth Resource",
    }),
  );
}