Client-Side Authentication

The MCP OAuth Proxy

A high-performance client-side proxy co-located with your AI agent that streamlines MCP OAuth2 authentication and supports human-in-the-loop approval.

Security First

Secure OAuth Authentication

Co-located MCP Client and Auth Proxy - OAuth Flow

OAuth2 + PKCE

The proxy triggers a secure, browser-based OAuth flow where users validate their identity via an enterprise IdP. It securely caches access and refresh tokens for each target MCP server, automatically renewing access tokens and re-triggering the OAuth PKCE flow if a refresh token expires.

Native Keychain Integration

Automatically leverages the system's TPM/Keychain for enterprise-grade security. If unavailable, it falls back to AES-GCM encrypted local storage.

Human Oversight

Human-in-the-Loop Approval

Co-located MCP Client and Auth Proxy - HITL Approval Flow

Manual Confirmation

For sensitive operations, the proxy triggers a user confirmation step via a browser-based UI, allowing the user to approve or deny the action before it is transmitted to the MCP server.

Policy-Driven HITL

Entitlement Service policies determine whether an MCP call requires user approval, while the MCP Gateway coordinates with the MCP Proxy to complete the Human-in-the-Loop process.

Key Features

Human-in-the-Loop

An integrated approval workflow that prompts users for confirmation before sensitive agent actions are executed.

Auto Discovery

RFC 8414 support to automatically find OAuth2 endpoints (authorization, token, introspection) from a base URL.

Automatic Registration

Automatically registers the proxy as a client with compatible identity providers for zero-config onboarding.

Centralized Config

Manage all your upstream MCP servers, commands, URLs, and auth settings in a single, clean YAML file.