Skip to main content
Authentication is the process of proving a user’s identity before granting them access to a resource. In this quickstart, you’ll learn how to bring Universal Login to your MCP-based applications and leverage OAuth 2.0 and OpenID Connect to securely authenticate users. When a user authenticates with an identity provider through Auth0, Auth0 can pass user information to the MCP server in order to allow the user to access the appropriate tools and resources. By the end of this quickstart, you should have an MCP server that can:
  • Let users sign up and log in using a username and password or a Google account.
  • Authenticate and authorize users using OAuth 2.0 and OpenID Connect.
  • Let users use specific tools based on their roles.

Pre-requisites

Auth for MCP is currently available in Early Access. To join the Early Access program, please complete this form. We’ll reach out to you when your request is processed.
To continue with this quickstart, you need to have an Auth0 account.
To use the resource parameter in your access tokens, you need to enable the compatibility profile.The quickest way to enable it is through the Auth0 Dashboard:
  1. Navigate to Settings on the left sidebar.
  2. Click on Advanced on the top right corner.
  3. Scroll down to the Settings section, find and enable Resource Parameter Compatibility Profile.
Resource Parameter Compatibility Profile enabled
Resource Parameter Compatibility Profile is available under the Early Access program. Go to the Early Access section to learn how to gain access.
This guide uses Auth0 CLI to configure an Auth0 tenant for secure MCP tool access.
  1. Follow the Auth0 CLI installation instructions.
  2. Log in to your account with the Auth0 CLI:
auth0 login --scopes "read:client_grants,create:client_grants,delete:client_grants,read:clients,create:clients,update:clients,read:resource_servers,create:resource_servers,update:resource_servers,read:roles,create:roles,update:roles,update:tenant_settings,read:connections,update:connections"
Confirm you are in the correct tenant by double-checking on the terminal the tenant domain, or run the command below:
auth0 tenants list
If more than one tenant is configured, the default tenant will be indicated by an arrow.
To simplify the process of interacting with the Auth0 CLI, we recommend installing jq. This will allow you to easily parse JSON responses from the CLI.
  • MacOS
  • Linux
  • Windows
brew install jq

Configure tenant settings

To allow third-party clients like MCP inspector to use a connection like username-and-password or a social connection, you need to promote the connection to a domain level. Learn more about enabling third-party applications.
1

List your connection

List your connections to get their IDs
auth0 api get connections
2

Choose your connections

From the list, identify which connections you want to use for the MCP server and copy the ID.
  • For the username and password database, look for the connection with the strategy auth0.
  • For Google social connection, look for the connection with the strategy google-oauth2.
3

Upgrade the connection to domain-level

For each of those specific connection IDs, run the following command to mark it as a domain-level connection. Replace YOUR_CONNECTION_ID with the actual ID (e.g., con_XXXXXXXXXXXXXXXX)
auth0 api patch connections/YOUR_CONNECTION_ID --data '{"is_domain_connection": true}'
The sample application in this quickstart is prepared to show different tools depending on the role of a given user. For example an Tool Administrator will have access to different tools from an Tool User.
If you decide to skip this step, you’ll only have access to the tool get_current_time, which is the only tool in the sample apps that doesn’t require any permissions.
If your application doesn’t require that level of access, i.e. all users have access to available tools, this step is not required for your use case.Let’s create roles that allow you to control which users can access which tools.

Create roles

For each role you need (e.g., “Tool Administrator”, “Tool User”), run the create command as below.
# Example for an admin role
auth0 roles create --name "Tool Administrator" --description "Grants access to all MCP tools"

# Example for a basic user role
auth0 roles create --name "Tool User" --description "Grants access to basic MCP tools"
Save the ID from the output (they start with rol_) as you’ll need them for the next step.

Assign permissions to roles

After creating roles, assign the API permissions to it:
# Example for admin role (all scopes)
auth0 roles permissions add YOUR_ADMIN_ROLE_ID --api-id "http://localhost:3001/" --permissions "tool:whoami,tool:greet"

# Example for user role (one scope)
auth0 roles permissions add YOUR_USER_ROLE_ID --api-id "http://localhost:3001/" --permissions "tool:whoami"

Assign roles to users

Find users and assign them to the roles. You can search by their email address:
auth0 users search --query "email:\"example@google.com\""
Copy the user ID (USERID) from last command’s output then assign the role to the user:
auth0 users roles assign "USER_ID_HERE" --roles "YOUR_ROLE_ID_HERE"

Create an API to represent your MCP server

An MCP server is treated just like any other API in your Auth0 tenant, which means you can use the same access control, scoping, and authorization features. The API (also known as a Resource Server) represents your protected MCP Server. Run the following command to create an API in Auth0: 
auth0 api post resource-servers --data '{
  "identifier": "http://localhost:3001/",
  "name": "MCP Tools API",
  "signing_alg": "RS256",
  "token_dialect": "rfc9068_profile_authz",
  "enforce_policies": true,
  "scopes": [
    {"value": "tool:whoami", "description": "Access the WhoAmI tool"},
    {"value": "tool:greet", "description": "Access the Greeting tool"}
  ]
}'
Note that rfc9068_profile_authz is used as the token dialect to include the permissions claim in the access token, which can be useful for the API to check user permissions without making additional calls. For more details on protecting APIs with Auth0 check our quickstarts.

Install packages

Ensure you have npm installed or follow the instructions to install npm in its documentation. In the fastmcp-mcp-js directory, install the required packages: 
npm install

Create your environment file

In the fastmcp-mcp-js directory, create a new .env file and add the following content: 
AUTH0_DOMAIN=<your-auth0-domain>
AUTH0_AUDIENCE=http://localhost:3001
PORT=3001
MCP_SERVER_URL=http://localhost:3001
To get your Auth0 application’s AUTH0_DOMAIN, run the following command: 
auth0 tenants list
Copy the domain under TENANT from the output and update the corresponding variable on the .env.

Run your MCP server

Run this command to start your server: 
npm run start

Testing your MCP server

Now that your MCP server is up and running, you can test it by using tools like MCP Inspector.

Learn how to test your Auth0 powered MCP server

Next steps