MCP Server Registration
Model Context Protocol (MCP) is a protocol for LLM hosts (Claude, ChatGPT, Cursor) to discover and call external tools. Registering an MCP server in LumoAuth turns it into an OAuth 2.0 protected resource with its own discovery endpoints, supported scopes, and a Resource URI that becomes the aud claim on issued tokens.
Registration via Organization Portal
Register an MCP server through the Organization Portal UI:
- Navigate to Developer > MCP Servers in the Organization Portal.
- Click Register MCP Server.
- Fill in the required fields:
- Server Name — a human-readable name.
- Resource URI — the canonical URI of your MCP server (per RFC 8707).
- Configure optional settings (transport type, scopes, token lifetime).
- Click Register.
Server configuration
Required fields
| Field | Description | Example |
|---|---|---|
name | Human-readable server name | Code Search MCP Server |
resource_uri | Canonical URI per RFC 8707. Used as the resource parameter in OAuth requests and for token audience binding. | https://mcp.example.com |
Optional fields
| Field | Default | Description |
|---|---|---|
endpoint_url | null | The URL where the MCP server accepts connections |
transport | http_streamable | Transport type: http_streamable, http_sse, or stdio |
auth_mode | oauth | oauth for protected servers, none for public |
scopes_supported | [] | Space-separated OAuth scopes this server supports |
token_lifetime | 3600 | Access token lifetime in seconds (60–86400) |
allowed_client_ids | [] | Restrict access to specific OAuth client IDs. Empty = all organization clients. |
Resource URI requirements
The Resource URI is the canonical identifier of your MCP server per RFC 8707 — Resource Indicators for OAuth 2.0, which lets a client ask for a token bound to a specific resource. It is used as:
- The
resourceparameter in authorization and token requests. - The audience (
aud) claim in JWT access tokens. - The
resourcefield in Protected Resource Metadata (RFC 9728).
Resource URIs must be valid HTTPS URLs that uniquely identify your MCP server.
Example: https://api.example.com/mcp/weather-service
List MCP servers
Returns all active MCP servers for the organization. Requires Bearer token authentication.
curl -X GET https://app.lumoauth.dev/orgs/acme-corp/api/v1/mcp/servers \
-H "Authorization: Bearer <ACCESS_TOKEN>"
{
"servers": [
{
"id": 1,
"server_id": "mcp_a1b2c3d4e5f6a1b2c3d4e5f6",
"name": "Code Search MCP Server",
"description": "Provides code search and analysis tools",
"resource_uri": "https://mcp.example.com",
"endpoint_url": "https://mcp.example.com/mcp",
"transport": "http_streamable",
"auth_mode": "oauth",
"status": "active",
"scopes_supported": ["mcp:read", "mcp:write"],
"require_pkce": true,
"require_resource_param": true,
"token_lifetime": 3600,
"created_at": "2026-02-10T12:00:00+00:00"
}
]
}
Get MCP server details
GET /orgs/{orgId}/api/v1/mcp/servers/{serverId}
Returns detailed information about a specific MCP server, including discovery URLs and example headers.
{
"id": 1,
"server_id": "mcp_a1b2c3d4e5f6a1b2c3d4e5f6",
"name": "Code Search MCP Server",
"resource_uri": "https://mcp.example.com",
"transport": "http_streamable",
"auth_mode": "oauth",
"status": "active",
"scopes_supported": ["mcp:read", "mcp:write"],
"discovery": {
"authorization_server_metadata": "https://app.lumoauth.dev/orgs/acme-corp/api/v1/.well-known/oauth-authorization-server",
"protected_resource_metadata": "https://app.lumoauth.dev/orgs/acme-corp/api/v1/.well-known/oauth-protected-resource/mcp/mcp_a1b2c3d4",
"www_authenticate_example": "Bearer resource_metadata=\"https://...\", scope=\"mcp:read mcp:write\""
}
}
Security settings
PKCE requirement
Per the MCP Authorization specification, MCP clients MUST implement PKCE with the S256 code challenge method. LumoAuth enforces this for all OAuth-protected MCP servers by default.
Resource parameter (RFC 8707)
MCP clients MUST include the resource parameter in both authorization and token requests, set to the server's Resource URI. This binds the access token to the specific MCP server, preventing token misuse across different services.
Client restrictions
By default, all OAuth clients within an organization can request tokens for any MCP server. You can restrict access by setting Allowed Client IDs — only listed clients will be permitted to obtain tokens for the server.
Related
- MCP Authorization Flow — end-to-end OAuth 2.1 flow
- Protected Resource Metadata — discovery document details