Authorization Layers
MCP Gateway provides authorization at multiple levels:Server-Level Claim-Based Authorization
Control access to MCP servers based on JWT claims. This is configured through JWT Validation usingrequiredClaims and claimValues.
Require Specific Claims
Ensure tokens include specific claims before allowing access:Validate Claim Values
Authorize based on claim values—group membership, roles, or other attributes:Match Types
Example: Restrict to Engineering Team
Only allow users in the engineering group:Example: Require Admin Role
Only allow users with admin role:Example: Restrict by Email Domain
Only allow users from your company domain:Tool-Level Authorization
Tool-level claim-based authorization is coming in a future release.
- Allow read tools for all users, write tools for specific roles
- Restrict dangerous operations to admins
- Enable different tool sets for different teams
Webhooks for Authorization
Webhook-based authorization is coming in a future release.
- User identity and claims
- Target MCP server
- Tool being called
- Request parameters
allow or deny with an optional reason.
Enables:
- Dynamic authorization based on external systems
- Context-aware decisions (time of day, request patterns)
- Integration with existing authorization infrastructure
- Custom business logic for access control
Combining with Team Provisioning
Authorization works alongside Team Provisioning:- Team Provisioning controls which workspaces see which servers
- JWT Validation adds claim-based rules on top
Next Steps
JWT Validation
Configure claim validation for authorization.
Team Provisioning
Control workspace access to MCP servers.
Identity Forwarding
Pass user identity to MCP servers for downstream authorization.
Tool Provisioning
Enable or disable specific tools.

