Skip to main content
Each MCP server supports two authentication modes:
  • ezforge_managed — ezForge handles OAuth 2.0 / OIDC. Clients register via the OAuth clients API and tokens are issued by the ezForge authorization server.
  • byoa (Bring Your Own Auth) — The server delegates authentication to an external OIDC provider. You supply the provider’s endpoints and ezForge validates tokens against them.
See MCP Auth for full details. Required scope: Session authentication only (no API key scope defined for this endpoint).

Get auth config

GET /v1/servers/:serverId/auth
Returns the current auth mode and BYOA configuration (if applicable). Response 200: For ezforge_managed: 
{
  "data": {
    "authMode": "ezforge_managed",
    "byoaConfig": null
  }
}
For byoa: 
{
  "data": {
    "authMode": "byoa",
    "byoaConfig": {
      "authorizationEndpoint": "https://auth.example.com/authorize",
      "tokenEndpoint": "https://auth.example.com/token",
      "jwksUri": "https://auth.example.com/.well-known/jwks.json",
      "issuer": "https://auth.example.com"
    }
  }
}

Update auth config

PATCH /v1/servers/:serverId/auth
Changes the authentication mode. When switching to byoa, all four BYOA config fields are required. Request body — switch to ezforge_managed: 
{
  "authMode": "ezforge_managed"
}
Request body — switch to byoa: 
{
  "authMode": "byoa",
  "byoaConfig": {
    "authorizationEndpoint": "https://auth.example.com/authorize",
    "tokenEndpoint": "https://auth.example.com/token",
    "jwksUri": "https://auth.example.com/.well-known/jwks.json",
    "issuer": "https://auth.example.com"
  }
}
Fields:
FieldTypeRequiredDescription
authModestringezforge_managed or byoa
byoaConfigobjectWhen byoaOIDC provider endpoints (all four sub-fields required)
byoaConfig.authorizationEndpointstring (URL)When byoaOAuth 2.0 authorization endpoint — must use https
byoaConfig.tokenEndpointstring (URL)When byoaOAuth 2.0 token endpoint — must use https
byoaConfig.jwksUristring (URL)When byoaJWKS URI for token validation — must use https
byoaConfig.issuerstring (URL)When byoaToken issuer (RFC 8414 §2 — no query or fragment) — must use https
Response 200: Updated auth config object (same shape as GET response).