Apollo MCP Server

Official

Overview Schema Related Servers Score Discussions

auth.mdx•2.61 kB

--- title: Authorization with Apollo MCP Server redirectFrom: - /apollo-mcp-server/guides/auth --- The Apollo MCP server supports authorizing clients (e.g., LLMs) in accordance with [the MCP specification](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization). The current implementation passes through OAuth tokens from MCP clients directly to upstream GraphQL APIs. You can read more about [security considerations](/apollo-mcp-server/limitations#oauth-token-passthrough) when using this feature. ## Implement authorization with Apollo MCP Server To implement authorization, you need an [OAuth 2.1-compliant](https://oauth.net/2.1/) Identity Provider (for example, your own in-house IdP or a third-party IdP such as Auth0, Okta, or Keycloak). You need the following values from your IdP: - **URL**: The base URL of your Identity Provider, which is used to validate the JSON Web Tokens (JWTs) issued by it. - **Audience**: Identifies the intended recipient of the token, typically a resource server or API. Represented by the `aud` claim in the JWT. - **Scopes**: The scopes that the client will request. These scopes define the permissions granted to the client when it accesses the API. Then, you [configure the MCP server with `auth` settings](/apollo-mcp-server/config-file#auth) and the [GraphOS Router for JWT authentication](/graphos/routing/security/jwt) using those IdP values. For an example of how to configure Apollo MCP Server with Auth0, see [Authorization with Auth0](/apollo-mcp-server/guides/auth-auth0). ## Configuring allowed audiences You can specify which JWT audiences are allowed to access your MCP Server. ### Specific audiences ```yaml title="mcp.yaml" transport: type: streamable_http auth: servers: - https://auth.example.com audiences: - https://api.example.com - https://mcp.example.com ``` Set `audiences` to a list of accepted audience values. The JWT's `aud` claim must match one of these values for the token to be considered valid. ### Allow any audience ```yaml title="mcp.yaml" transport: type: streamable_http auth: servers: - https://auth.example.com allow_any_audience: true ``` If you set `allow_any_audience` to `true` (the default is `false`), Apollo MCP Server will skip audience validation entirely. This means tokens with _any_ audience claim will be accepted. <Caution> Skipping audience validation reduces security. Only use `allow_any_audience: true` when you trust all tokens issued by your configured OAuth servers, regardless of their intended audience. </Caution>

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/apollographql/apollo-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

auth.mdx•2.61 kB