Skip to content

Update authentication documentation for MCP servers with external API credentials #71

New issue
New issue
Open
Open
Update authentication documentation for MCP servers with external API credentials#71
Assignees
aarora79
Labels
documentationImprovements or additions to documentationsecuritySecurity-related issues and vulnerabilities
@aarora79

Description

@aarora79
aarora79
opened on Jun 23, 2025

Issue Description

The authentication documentation needs to be updated to cover the scenario where MCP servers need to connect to internal or external APIs that require their own security credentials (such as API keys).

Required Updates

1. Secrets Manager Integration

Document how MCP servers can use the secrets manager to obtain API credentials:

  • MCP servers can communicate with a secrets manager
  • Use client ID to identify the user or agent
  • Client ID serves as a key to retrieve the appropriate API key from the secrets manager
  • Reference implementation: servers/fininfo/server.py (connects to Polygon API)

2. Client Identity Management

Explain the two identity scenarios:

  • User-based identity: Client ID identifies the user using the agent
  • Agent-based identity: Agent has its own identity with dedicated client ID

3. Security Perimeter Clarification

Update sequence diagrams and documentation to clarify:

  • "External MCP servers" refers to servers within the enterprise perimeter, not public servers
  • Agents cannot connect to truly external MCP servers through the MCP gateway for security reasons
  • This prevents creating security holes by accessing unauthorized external services
  • True external MCP server connectivity will be addressed separately

Files to Update

Documentation Files

  • docs/auth.md - Primary authentication documentation
  • docs/FAQ.md - Frequently asked questions about authentication
  • docs/cognito.md - Cognito-specific authentication details
  • docs/registry-auth-architecture.md - Authentication architecture overview
  • docs/registry-auth-detailed.md - Detailed authentication implementation
  • docs/dynamic-tool-discovery.md - Tool discovery authentication aspects

Mermaid Diagrams to Review and Update

The following files contain Mermaid diagrams that may need updates to reflect the secrets manager integration and security perimeter clarification:

docs/auth.md (2 diagrams):

  • Authentication flow diagram
  • Sequence diagram for auth process

docs/cognito.md (2 diagrams):

  • Cognito authentication sequence diagrams

docs/registry-auth-architecture.md (7 diagrams):

  • Architecture overview diagrams
  • Authentication flow sequences
  • Component relationship diagrams

docs/registry-auth-detailed.md (14 diagrams):

  • Detailed authentication flows
  • Security boundary diagrams
  • Token exchange sequences
  • Authorization workflows

docs/dynamic-tool-discovery.md (1 diagram):

  • Tool discovery authentication flow

docs/FAQ.md (1 diagram):

  • Authorization flow diagram

Reference Implementation

See servers/fininfo/server.py for an example of how the secrets manager integration works with external APIs (Polygon API in this case).

Security Considerations

  • All diagrams showing "external" MCP servers should clarify these are within enterprise perimeter
  • Authentication flows should show secrets manager integration points
  • Client identity management should be clearly illustrated in relevant diagrams

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationsecuritySecurity-related issues and vulnerabilities

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions