Two-Layer Architecture
These layers are independent. An agent authenticates to Portkey with an API key. Portkey authenticates to Linear with OAuth. The agent never sees Linear’s OAuth tokens.
Gateway Authentication
Agents prove their identity to Portkey before accessing MCP servers.How it works: Requests with an API key use API key auth. Requests with a JWT from an external IdP (with JWT validation configured) use JWT validation. Requests with neither trigger the OAuth flow. No configuration needed—just include an API key or don’t.
API Key
The simplest method. Create an API key in Portkey and include it in requests.mcp invoke permissions.
OAuth 2.1
For browser-based flows where users authenticate interactively. If no API key is provided, Portkey acts as the OAuth provider and initiates the consent flow. After authentication, your app receives a token to use for MCP requests. This is useful for:- End-user applications where users log in
- Interactive tools like Claude Desktop or Cursor (when not using API keys)
- User-level attribution without managing API keys
External IdP (Bring Your Own Identity)
Use existing identity providers (Okta, Auth0, Azure AD, Cognito). Configure Portkey to validate tokens from your IdP. Users authenticate with existing identity systems—no Portkey accounts needed. This is useful when:- You have an existing IdP and want SSO
- Users who aren’t in Portkey need MCP access
- Compliance requires your own identity infrastructure
MCP Server Authentication
Portkey needs credentials to access upstream MCP servers. Configure this when adding a server.OAuth Auto
For MCP servers that support OAuth 2.1 with dynamic client registration. Portkey handles the full OAuth flow automatically. When a user first calls a tool, Portkey initiates OAuth with the MCP server. The user completes consent (e.g., authorizing access to their Linear account). Portkey stores and refreshes tokens automatically. Each user gets their own OAuth tokens. User A’s Linear access is separate from User B’s. Customize the OAuth client metadata Portkey uses during registration. See OAuth Client Metadata.Client Credentials
For MCP servers using OAuth client credentials grant. You provide a client ID and secret when adding the server. Portkey fetches tokens and handles refresh. All users share the same credentials to the MCP server. Use this for shared resources, not personal data.Custom Headers
For MCP servers using API keys or static tokens. Add headers when configuring the server.Data Flow: Headers and Identity
Beyond authentication, Portkey supports passing contextual information to MCP servers:Identity Forwarding
After authenticating a user, Portkey can forward their identity claims to MCP servers. MCP servers can then make authorization decisions without implementing OAuth themselves. Three methods:- Claims Header: JSON object with user claims
- Bearer Passthrough: Forward the original token
- Signed JWT: Portkey-signed JWT with claims (cryptographically verifiable)
Header Forwarding
Forward headers from agent requests to MCP servers for distributed tracing, tenant context, or custom metadata.Choosing the Right Method
Use per-user OAuth when the MCP server accesses user-specific data (email, repos, messages). Each user authorizes their own access.
Use shared credentials when the MCP server provides shared resources (knowledge bases, analytics). All users see the same data.

