Apollo MCP Server

--- title: Authorization with Apollo MCP Server redirectFrom: - /apollo-mcp-server/guides/auth --- The Apollo MCP server supports authorizing clients (e.g., LLMs) in accordance with [the MCP specification](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization). The current implementation passes through OAuth tokens from MCP clients directly to upstream GraphQL APIs. You can read more about [security considerations](/apollo-mcp-server/limitations#oauth-token-passthrough) when using this feature. ## Implement authorization with Apollo MCP Server To implement authorization, you need an [OAuth 2.1-compliant](https://oauth.net/2.1/) Identity Provider (for example, your own in-house IdP or a third-party IdP such as Auth0, Okta, or Keycloak). You need the following values from your IdP: - **URL**: The base URL of your Identity Provider, which is used to validate the JSON Web Tokens (JWTs) issued by it. - **Audience**: Identifies the intended recipient of the token, typically a resource server or API. Represented by the `aud` claim in the JWT. - **Scopes**: The scopes that the client will request. These scopes define the permissions granted to the client when it accesses the API. Then, you [configure the MCP server with `auth` settings](/apollo-mcp-server/config-file#auth) and the [GraphOS Router for JWT authentication](/graphos/routing/security/jwt) using those IdP values. For an example of how to configure Apollo MCP Server with Auth0, see [Authorization with Auth0](/apollo-mcp-server/guides/auth-auth0). ## Configuring allowed audiences You can specify which JWT audiences are allowed to access your MCP Server. ### Specific audiences ```yaml title="mcp.yaml" transport: type: streamable_http auth: servers: - https://auth.example.com audiences: - https://api.example.com - https://mcp.example.com ``` Set `audiences` to a list of accepted audience values. The JWT's `aud` claim must match one of these values for the token to be considered valid. ### Allow any audience ```yaml title="mcp.yaml" transport: type: streamable_http auth: servers: - https://auth.example.com allow_any_audience: true ``` If you set `allow_any_audience` to `true` (the default is `false`), Apollo MCP Server will skip audience validation entirely. This means tokens with _any_ audience claim will be accepted. <Caution> Skipping audience validation reduces security. Only use `allow_any_audience: true` when you trust all tokens issued by your configured OAuth servers, regardless of their intended audience. </Caution> ## Performance considerations ### Discovery timeout Authorization server metadata is discovered using OAuth 2.0 Authorization Server Metadata (RFC 8414) and OpenID Connect Discovery. The MCP Server tries multiple discovery URL patterns in sequence until one succeeds. The `discovery_timeout` setting controls how long to wait for each discovery URL attempt. The default is 5 seconds per URL. ```yaml title="mcp.yaml" transport: type: streamable_http auth: servers: - https://auth.example.com discovery_timeout: 10s # Increase timeout for slower networks (default: 5s) ``` **Considerations:** - Discovery happens during token validation and can add latency to the first authorized request. - With multiple fallback URLs (RFC 8414, OIDC Discovery), the cumulative timeout can be 10-15 seconds if all URLs fail. - Increase the timeout if your OAuth server is on a slow network or responds slowly. - Decrease the timeout in high-performance environments where fast failure is preferred.