Skip to main content
Authorization determines what authenticated users can access. While authentication verifies who a user is, authorization controls what they can do.

Authorization Layers

MCP Gateway provides authorization at multiple levels:

Server-Level Claim-Based Authorization

Control access to MCP servers based on JWT claims. This is configured through JWT Validation using requiredClaims and claimValues.

Require Specific Claims

Ensure tokens include specific claims before allowing access:
If a token is missing any required claim, access is denied.

Validate Claim Values

Authorize based on claim values—group membership, roles, or other attributes:
Users whose tokens don’t match the required claim values receive an authorization error.

Match Types

Example: Restrict to Engineering Team

Only allow users in the engineering group:

Example: Require Admin Role

Only allow users with admin role:

Example: Restrict by Email Domain

Only allow users from your company domain:
See JWT Validation for complete configuration options.

Tool-Level Authorization

Tool-level claim-based authorization is coming in a future release.
Fine-grained authorization at the tool level based on JWT claims. Control tool access by user attributes:
Enables scenarios like:
  • Allow read tools for all users, write tools for specific roles
  • Restrict dangerous operations to admins
  • Enable different tool sets for different teams

Webhooks for Authorization

Webhook-based authorization is coming in a future release.
Call your custom authorization service before each MCP request. Implement dynamic, context-aware access decisions.
Your webhook will receive:
  • User identity and claims
  • Target MCP server
  • Tool being called
  • Request parameters
Return allow or deny with an optional reason. Enables:
  • Dynamic authorization based on external systems
  • Context-aware decisions (time of day, request patterns)
  • Integration with existing authorization infrastructure
  • Custom business logic for access control

Combining with Team Provisioning

Authorization works alongside Team Provisioning:
  1. Team Provisioning controls which workspaces see which servers
  2. JWT Validation adds claim-based rules on top
A user must pass both checks to access an MCP server.

Next Steps

JWT Validation

Configure claim validation for authorization.

Team Provisioning

Control workspace access to MCP servers.

Identity Forwarding

Pass user identity to MCP servers for downstream authorization.

Tool Provisioning

Enable or disable specific tools.
Last modified on April 8, 2026