Skip to main content
This document covers how to register MCP servers and how to pass authentication data in A2A message DataParts so MCP tools can be registered.

MCP server registration

Each MCP server record includes an authorizationType field that controls how the Agent API authenticates when registering tools and calling that server. DataParts provide credentials at runtime but do not change the configured authorization type.

authorizationType = none

Meaning: MCP server is callable without authentication. Behavior: No Authorization header or OAuth flow is used. Auth DataParts for this server are ignored. Registration example: 
{
  "name": "medical-calculator",
  "transportType": "streamable_http",
  "authorizationType": "none",
  "url": "http://mcp-server-medical-calculator.agents:80/mcp"
}

authorizationType = inherit

Meaning: Reuse the incoming Agent API bearer token. Behavior: Uses the token from the request Authorization header. The API request must include a valid bearer token or the request fails with missing_inherited_token. DataPart override: If a token DataPart is supplied for this server name, that token is used instead of the inherited token. Registration example: 
{
  "name": "medical-coding",
  "transportType": "streamable_http",
  "authorizationType": "inherit",
  "url": "http://mcp-server-medical-coding.agents/mcp"
}

authorizationType = bearer

Meaning: MCP server expects a bearer token. Behavior: Uses the token from a matching DataPart (type=token). If the token is missing or invalid, the MCP server typically returns 401 and the task becomes auth-required. Registration example: 
{
  "name": "medical-coding",
  "transportType": "streamable_http",
  "authorizationType": "bearer",
  "url": "http://mcp-server-medical-coding.agents/mcp"
}

authorizationType = oauth2.0

Meaning: MCP server expects OAuth client credentials. Behavior: Uses client_id and client_secret from a matching DataPart (type=credentials) and performs a client_credentials flow. Supported for streamable_http transport only; sse is not supported. Registration example: 
{
  "name": "medical-coding",
  "transportType": "streamable_http",
  "authorizationType": "oauth2.0",
  "url": "http://mcp-server-medical-coding.agents/mcp"
}

Authorization via message DataParts

Authentication is supplied as an A2A DataPart with kind: "data" and the auth payload under data. The following fields are used:
  • type: token or credentials (case-insensitive)
  • mcp_name: MCP server name as registered (case-sensitive, trimmed)
  • token: required when type=token
  • client_id and client_secret: required when type=credentials

Token example (for authorizationType=bearer or inherit override)

{
  "kind": "data",
  "data": {
    "type": "token",
    "mcp_name": "crm-mcp",
    "token": "eyJhbGciOi..."
  }
}

Credentials example (for authorizationType=oauth2.0)

{
  "kind": "data",
  "data": {
    "type": "credentials",
    "mcp_name": "crm-mcp",
    "client_id": "abc",
    "client_secret": "def"
  }
}

Processing rules and errors

  • type is normalized to lowercase; only token and credentials are extracted
  • DataParts do not change the MCP server authorizationType—make sure the DataPart type matches the server configuration
  • Unknown or invalid auth DataParts are left in the message as normal parts
  • mcp_name must be unique per message; duplicates return mcp_auth_duplicate_name
  • Missing fields return:
    • mcp_auth_missing_name
    • mcp_auth_missing_token
    • mcp_auth_missing_credentials
  • If mcp_name does not match any configured server, the DataPart is ignored

When DataParts are used

  • MCP tools are registered when a new thread is created (the first message). Include auth DataParts on that first message
  • Later messages on the same thread do not re-register tools, so auth DataParts will be ignored for MCP registration
  • In the API flow, extracted auth DataParts are removed from the message before it is stored or sent to reasoning
For more information about the A2A protocol and DataParts, see A2A Protocol.
For general information about MCP, see MCP Protocol.
Please contact us if you need more information about the Corti Agentic Framework.