Create Authentication Policy

Configure an MCP policy to secure your MCP Server with authentication and authorization.

MCP Servers use policies for authentication. MCP uses the same policy builder that APIM 3.0 does. The policy builder contains a suite of authentication, authorization, validation, traffic shaping, and transformation rules. These rules compose the policy. You can use existing rules or policies created for APIM Services or create new ones specifically for MCP. This topic covers creating policies for MCP Server authentication.

Available authentication methods for MCP:

  • MCP OAuth2 Client Credentials Policy: For application-to-application authentication
  • MCP OAuth2 JWT Validator Policy: For validating JWT tokens from identity providers
  • API Key Authenticator: Simple token-based authentication
  • Anonymous Authenticator: No authentication (development only)
  1. Open the Policy Catalog.
    1. Click the Waffle menu in the top right corner, then click APIM.
      The API Management home page opens.
    2. On the left navigation pane, click Policy Catalog.
      The Policy Manager UI opens.
    3. Click Create Policy to create a new policy.


    4. Enter a Name for the policy (such as MCP OAuth2 Policy).
    5. Enter a Description describing the policy's purpose.
  2. Add Rules.
    1. Click Add Rule to add authentication rules to the policy.
    2. Select the rule type based on your authentication method:
      MCP OAuth2 Client Credentials Validates OAuth2 tokens using the client credentials flow. Configure with your authorization server's token endpoint and client credentials.
      MCP OAuth2 JWT Validator Validates JWT tokens against an authorization server's JWKS endpoint. Configure with the issuer URL and JWKS endpoint.
      API Key Authenticator Validates API keys passed in headers or query parameters. Configure the expected key name and valid keys.
      Anonymous Authenticator Allows unauthenticated access. Use only for development or internal testing.
      Authorize by Role Used with Anonymous Authenticator. Defines user roles.
    3. Add additional rules as needed:

      Common rules for MCP Servers:

      • IP Restriction: Limit access to specific IP addresses or ranges
      • Client Throttling: Rate limit requests per client
      • Request Size Limit: Limit the size of incoming requests
      • CORS Restriction: Configure cross-origin resource sharing


  3. Configure MCP Policy using OAuth2 Client Credentials
    1. In the MCP OAuth2 Client Credentials rule, configure the following fields:
      • Token Endpoint URL: Your authorization server's token endpoint
      • Client ID: The OAuth2 client identifier
      • Client Secret: The OAuth2 client secret
      • Scope: Required OAuth2 scopes
      • Auth Domain: The domain URL for fetching authorization endpoint URLs
      • Extract Keys from URL: URL to dynamically fetch signing keys for token validation
      • Extract User Info:
        • User ID Expression: Expression that returns the user ID from the token claims
        • Roles Expression: Expression that returns the roles from the token claims

    2. For the Authorize by Role rule, add the following Roles and Conditions:
      Role Condition
      mcp:access true
      read:data true
      write:data true

  4. Configure an MCP Policy to generate a JSON Web Token for Authentication
    1. In the MCP OAuth2 JWT Validator rule, configure the following fields:
      • Auth Domain: The domain URL for fetching authorization endpoint URLs
      • Extract Keys from URL: URL to dynamically fetch signing keys for token validation
      • Extract User Info:
        • User ID Expression: Expression that returns the user ID from the JWT token claims
        • Roles Expression: Expression that returns the roles from the JWT token claims

    2. For the Authorize by Role rule, add the following Roles and Conditions:
      Role Condition
      oauth

  5. Configure an MCP Policy for Anonymous Authentication
    1. For Anonymous Authenticator, in the Role field, add anonymous.

    2. For Authorize by Role, configure the following fields.
      • Role: The role for the authorized user. For anonymous authenticator, add anonymous.
      • Condition: Add a condition, if any, as an expression.

  6. Save the Policy.
    1. Review the policy configuration.

      MCP-Compatible APIM Rules

      The following APIM rules are compatible with MCP Server:

      Category Compatible Rules
      Authentication
      Authorization Authorize By Role
      Traffic Management
      Validation
      Transformation
    2. Click Save to save the policy.

      The policy is now available for use with MCP Servers.

Your authentication policy is now created and can be selected when configuring MCP Servers.

Note: Not all APIM rules are compatible with MCP Server. When selecting a policy in the MCP Server configuration, incompatible rules are marked with a red cross.

After creating the policy, return to Register MCP Server to select this policy for your MCP Server.