Auth0 MCP Server Demo — CRM
Integrates with Auth0 for OIDC-based authentication, role-based access control (sales-rep vs sales-manager), and on-behalf-of token exchange to delegate user identity to a downstream CRM API.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Auth0 MCP Server Demo — CRMshow me my contacts"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Auth0 MCP Server Demo — CRM
A demo showing how to secure an MCP server with Auth0 using:
FastMCP Auth0Provider — OIDC proxy so any MCP client (Claude Desktop, MCP Inspector) gets a standard browser-based OAuth login without manual token handling
Role-Based Access Control —
sales-rep(read-only) vssales-manager(full access)On-Behalf-Of Token Exchange — MCP server exchanges the user's token for a CRM API-scoped token, proving the agent acts with delegated user identity
MCP Client → FastMCP (OIDC proxy) → Auth0 Universal Login
↓
JWT validated, permissions checked
↓
OBO exchange → CRM API token
↓
Tool result + delegation proofArchitecture
Package | Port | Stack | Purpose |
| 3010 | Python + FastMCP | MCP server with Auth0 OAuth proxy + OBO |
| 3011 | Node.js + Express | Mock CRM REST API (downstream service) |
Related MCP server: identity-aware-mcp-server
Auth Flow
MCP client connects to
http://localhost:3010/mcpFastMCP redirects to Auth0 Universal Login
User authenticates — FastMCP validates the token and extracts
permissionsOn each tool call, the MCP server performs RFC 8693 Token Exchange to get a CRM-scoped token
Every tool response includes a
delegationblock proving who the agent is acting as
Demo Roles
Role | Permissions | Can Do |
|
| List/view contacts and deals |
|
| Full CRUD |
Prerequisites
Node.js 20+
Python 3.11+
An Auth0 tenant
AWS CLI (for CIMD hosting on S3/CloudFront)
Setup
1. Install dependencies
npm install
pip3 install -r packages/mcp-server/requirements.txt2. Host the CIMD document
The CIMD document proves domain ownership when registering the MCP server with Auth0:
npm run deploy:cimd # provisions S3 + CloudFront + Route53 at mcp.authgatekeeper.com3. Configure Auth0
# Get a Management API token from:
# Auth0 Dashboard → Applications → APIs → Auth0 Management API → API Explorer
AUTH0_MANAGEMENT_TOKEN=<token> npm run setup:auth0Copy the printed values into your root .env.
4. Configure OBO token exchange
# After creating the Custom API client in Auth0:
AUTH0_MANAGEMENT_TOKEN=<token> npx tsx scripts/setup-obo.ts5. Start
npm run devTesting
MCP Inspector
npx @modelcontextprotocol/inspectorConnect to http://localhost:3010/mcp — FastMCP handles the Auth0 login automatically.
Claude Desktop
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"crm": {
"command": "npx",
"args": ["mcp-remote", "http://localhost:3010/mcp"]
}
}
}Available Tools
Tool | Permission | Description |
| any | Show identity + full delegation chain |
|
| List contacts, filter by status |
|
| Get contact by ID |
|
| Create a new contact |
|
| List deals, filter by stage or contact |
|
| Get deal by ID |
|
| Create a new deal |
Test Users
Password | Role | |
|
| sales-rep ( |
|
| sales-manager ( |
Scripts
Script | Purpose |
| Provision Auth0 tenant (APIs, apps, roles, users) |
| Deploy CIMD document to S3/CloudFront |
| Re-upload CIMD document after changes |
| Configure OBO token exchange client |
| Re-assign role permissions (run after audience change) |
Project Structure
mcp-server-auth/
├── packages/
│ ├── mcp-server/
│ │ ├── server.py # FastMCP server — tools + Auth0 OIDC proxy + OBO
│ │ └── requirements.txt
│ └── crm-api/
│ └── src/
│ ├── index.ts # Express API with JWT validation
│ └── data.ts # In-memory contacts and deals
├── scripts/
│ ├── setup.ts # Auth0 tenant provisioning
│ ├── setup-obo.ts # OBO client configuration
│ ├── fix-permissions.ts # Role permission repair utility
│ └── deploy-cimd.sh # AWS S3/CloudFront/Route53 deployment
└── .env.exampleThis server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/sohnithakkar/mcp-server-auth'
If you have feedback or need assistance with the MCP directory API, please join our Discord server