When to Use
Organizations with existing identity providers (Okta, Auth0, Azure AD, Cognito) can use JWT validation. Users authenticate through the IdP, and MCP access works the same way. Flow:- Users get a token from the IdP
- Token included in MCP requests
- Portkey validates the token against the IdP
- Valid requests proceed with user identity attached
Validation Methods
Configure one validation method per MCP server. Each has different tradeoffs.JWKS URI
Fetch public keys from your IdP’s JWKS endpoint. This is the standard approach for most identity providers.Inline JWKS
Embed public keys directly in the configuration. Use for self-contained deployments or environments without a JWKS endpoint.Token Introspection (RFC 7662)
For opaque tokens that require real-time validation. Portkey calls your IdP’s introspection endpoint.active boolean field per RFC 7662.
Best for: Opaque tokens, real-time revocation checking, or validating token status against the IdP on every request.
Configuration Reference
Core Options
Timing Options
Introspection Options
Claim Validation Options
Custom Token Header
By default, Portkey reads the token from theAuthorization header. For a different header:
Require Specific Claims
Tokens must include these claims or they’re rejected:sub, email, or groups, Portkey returns:
Validate Claim Values
Check that claims have expected values:Match Types
Header-Payload Matching
Ensure that claims in the JWT header match claims in the payload. This provides additional security for tokens that include claims in both locations.Caching Behavior
JWKS Caching
- Keys cached for 24 hours by default (configurable via
cacheMaxAge) - CryptoKeys are pre-imported and cached for performance
- If signature verification fails with a cached key, Portkey refetches the JWKS (handles key rotation)
Introspection Caching
- Not cached by default (every request calls the introspection endpoint)
- Enable caching with
introspectCacheMaxAge(in seconds) - Cached results respect token expiry—expired tokens aren’t served from cache
- First request: calls introspection endpoint, caches result
- Subsequent requests (within 5 minutes): uses cached result
- After 5 minutes: calls introspection endpoint again
Performance Optimizations
Portkey optimizes JWT validation for production workloads:
Typical validation latency:
- JWKS (cache hit): < 1ms
- JWKS (cache miss): 50-200ms (network fetch)
- Introspection (uncached): 50-300ms (depends on IdP)
- Introspection (cached): < 1ms
Example: Okta Integration
Example: Auth0 Integration
Example: Azure AD Integration
Combining with Identity Forwarding
JWT validation extracts user claims from the token. Identity forwarding passes those claims to MCP servers:- User sends request with IdP token
- Portkey validates token, extracts claims
- Portkey forwards claims to MCP server
- MCP server uses claims for authorization/logging

