When to Use
Organizations with existing IdPs can use External OAuth. Users authenticate through the IdP for other services, and MCP access works the same way. Common scenarios:- SSO for internal developers. Engineers use corporate credentials to access MCP servers
- B2B applications. Your customers authenticate through their own IdP
- Compliance requirements. Mandate use of your own identity infrastructure
- No Portkey accounts. Users who aren’t in Portkey need MCP access
How It Works
jwt_validation in step 4 is a per-server check layered on top of it. Portkey never handles user credentials—your IdP remains the source of truth for identity.
Configuration
Configure JWT validation for your MCP server. Portkey validates incoming tokens using your IdP’s public keys or introspection endpoint.Option 1: JWKS URI (Recommended)
The most common setup. Portkey fetches public keys from your IdP’s JWKS endpoint.- Portkey fetches and caches your IdP’s public keys
- Keys are cached for 24 hours by default
- If a key rotates, Portkey automatically refetches
- Validation happens locally (no network call per request)
Option 2: Token Introspection
For opaque tokens requiring real-time validation, or for immediate revocation.- The request authenticates to the gateway first (Portkey API key or org-claim JWT); introspection runs after that step.
- Portkey reads the end-user’s opaque token from the header named by
headerKey(default:Authorization). Use a dedicated header such asX-Auth-Tokenso it doesn’t collide with the gateway credential. - Portkey POSTs to your
introspectEndpointper RFC 7662: the token in the request body astoken=…, and—whenintrospectClientId/introspectClientSecretare set—anAuthorization: Basic base64(client_id:client_secret)header to identify Portkey to your endpoint. - Your endpoint must return
{ "active": true, ... }. Include asubclaim so the user is attributed correctly in logs and analytics. - Responses are cached for
introspectCacheMaxAgeseconds (default:0, no caching).
0(no cache): Every request calls the introspection endpoint (slower, but immediate revocation)> 0: Better performance, but revocation takes up to the cache TTL to take effect
Token introspection validates the end-user’s token; it does not authenticate the gateway. You still need a Portkey API key or an org-claim JWT on the request (see the callout at the top of this page). An opaque token on its own is not sufficient.
Client Configuration
Every request needs a gateway credential (a Portkey API key or an org-claim JWT) so Portkey can resolve your organization. When you use token introspection, the end-user token goes in a separate header—the one you set asheaderKey:
portkey_oid / organisation_id, portkey_workspace / workspace_slug), you can pass that JWT in x-portkey-api-key and it serves as the gateway credential on its own—see Organization JWT Authentication. In that case no separate Portkey API key is required.
Or in code:
- Python
- TypeScript
Validating Claim Values
Validate that tokens are issued by the correct IdP and intended for MCP access:- Tokens from other IdPs being accepted
- Tokens intended for other services being used for MCP
Combining with Identity Forwarding
External OAuth pairs naturally with identity forwarding. Portkey validates the incoming JWT, extracts user claims, and forwards them to MCP servers.- Authorization: Check if user belongs to required groups
- Logging: Audit trail with user identity
- Personalization: Customize responses based on user
IdP-Specific Examples
Descope
- Create a project in the Descope Console
- Note your Project ID (found in Project Settings)
- Enable DCR, under DCR Settings under Inbound Applications
Okta
- Create an authorization server in Okta Admin Console
- Create an OAuth application (Web or SPA)
- Note your issuer URL (e.g.,
https://dev-12345.okta.com/oauth2/default)
Auth0
- Create an API in Auth0 Dashboard
- Note your tenant domain and API identifier
Azure AD / Entra ID
- Register an application in Azure Portal
- Note your tenant ID and client ID
AWS Cognito
- Create a User Pool in AWS Console
- Note your region and pool ID
Securing Your Setup
Validate Issuer and Audience
Always configureclaimValues to verify iss and aud:
Require Essential Claims
Require essential claims:Use Short Token Lifetimes
Configure the IdP to issue short-lived access tokens (15-60 minutes). This limits the window if a token is compromised.Troubleshooting
401 Unauthorized when sending only an end-user token
If you send only an opaque (or IdP) token with no Portkey API key and no org-claim JWT, the gateway can’t resolve your organization, so it rejects the request before introspection runs (your introspection endpoint is never called, and the client may fall into a browser OAuth prompt). Add a gateway credential—x-portkey-api-key or an org-claim JWT—and pass the end-user token in the headerKey header.
”Invalid issuer” Error
The token’siss claim doesn’t match your configuration. Verify the issuer URL exactly matches—including trailing slashes.
”Missing required claims” Error
The token doesn’t include claims you specified inrequiredClaims. Check your IdP’s token configuration and scopes.
”Invalid audience” Error
The token’saud claim doesn’t match your configuration. Verify the correct API identifier or client ID.
”JWKS fetch failed” Error
Portkey couldn’t fetch keys from your JWKS URI. Verify the URL is accessible and returns valid JWKS JSON.Related
| Topic | Description |
|---|---|
| JWT Validation | Full configuration reference for JWT validation |
| Identity Forwarding | Pass validated claims to MCP servers |
| Authentication Overview | Understanding gateway authentication |

