Skip to main content
The Model Context Protocol (MCP) specification requires the use of the standards-compliant resource parameter as defined in RFC 8707. Auth0’s Authentication API has historically used the audience parameter to specify a target resource server (API). This document outlines the new resource parameter and provides instructions for enabling the new compatibility profile.

Enabling Resource Parameter Compatibility Profile

The Resource Parameter Compatibility Profile is disabled by default. To enable it, you should:
  1. Create an Auth0 Account To continue with this quickstart, you need to have an Auth0 account.
  2. Enable your Tenant to use the Resource Parameter Compatibility Profile To use the resource parameter in your access tokens, you need to enable the compatibility profile
  3. Navigate to Settings and click on the Advanced tab
  4. Scroll down to the Settings section, find and enable Resource Parameter Compatibility Profile.
Resource Parameter Compatibility Profile enabled

How it works

When disabled, the Resource Parameter Compatibility Profile will keep the experience as is and only use the audience parameter in the Auth0 access token.
Audience in the access token
Once the Resource Parameter Compatibility Profile is enabled, Auth0 will use the resource parameter if it is available to define the token’s audience.
Resource in the access token
If both the resource and audience are available, the audience will still be used. Auth0 will not forward the resource to upstream Identity Providers (IdPs), learn more. RFC 8707 requires the resource parameter to be an absolute URI, to conform with RFC 8707 we recommend defining your resource server identifiers (API identifiers) in URI format. Using an absolute URI as the identifier of your MCP Server is also a requirement from the MCP Authorization specification.

Supported flows

The resource parameter is supported in the following flows:
  • Standard Authorization Flow (/authorize)
  • Pushed Authorization Requests (PAR)
  • JWT-Secured Authorization Requests (JAR)
  • Client-Initiated Backchannel Authentication (CIBA)
  • Refresh Token Grant Type

Resource Parameter Forwarding to Upstream Identity Provider (IdP)

When federating to an upstream IdP, Auth0 provides a way for initiating clients to forward parameters. In the documentation, notice that resource is one of the parameters available for forwarding to upstream IdPs. To avoid leaking access token details, Auth0 will not forward the resource parameter to upstream IdPs while the Resource Parameter Compatibility Profile is enabled.
  • Resource Parameter Compatibility disabled (default behavior):
    • resource is available as an upstream IdP parameter.
  • Resource Parameter Compatibility enabled:
    • resource is not available as an upstream IdP parameter, and will not be forwarded.
    If passing the resource parameter to an upstream IdP, Resource Parameter Compatibility Profile should not be enabled.