> ## Documentation Index
> Fetch the complete documentation index at: https://docs.corti.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# MCP Authentication

> Learn how to authenticate MCP server calls in the Agentic Framework

This document covers how to register MCP servers and how to pass authentication data in A2A message DataParts so MCP tools can be registered.

## MCP server registration

Each MCP server record includes an `authorizationType` field that controls how the Agent API authenticates when registering tools and calling that server. DataParts provide credentials at runtime but do not change the configured authorization type.

### authorizationType = none

**Meaning**: MCP server is callable without authentication.

**Behavior**: No Authorization header or OAuth flow is used. Auth DataParts for this server are ignored.

**Registration example:**

```json theme={null}
{
  "name": "medical-calculator",
  "transportType": "streamable_http",
  "authorizationType": "none",
  "url": "http://mcp-server-medical-calculator.agents:80/mcp"
}
```

### authorizationType = inherit

**Meaning**: Reuse the incoming Agent API bearer token.

**Behavior**: Uses the token from the request `Authorization` header. The API request must include a valid bearer token or the request fails with `missing_inherited_token`.

**DataPart override**: If a token DataPart is supplied for this server name, that token is used instead of the inherited token.

**Registration example:**

```json theme={null}
{
  "name": "medical-coding",
  "transportType": "streamable_http",
  "authorizationType": "inherit",
  "url": "http://mcp-server-medical-coding.agents/mcp"
}
```

### authorizationType = bearer

**Meaning**: MCP server expects a bearer token.

**Behavior**: Uses the token from a matching DataPart (type=token). If the token is missing or invalid, the MCP server typically returns 401 and the task becomes `auth-required`.

**Registration example:**

```json theme={null}
{
  "name": "medical-coding",
  "transportType": "streamable_http",
  "authorizationType": "bearer",
  "url": "http://mcp-server-medical-coding.agents/mcp"
}
```

### authorizationType = oauth2.0

**Meaning**: MCP server expects OAuth client credentials.

**Behavior**: Uses `client_id` and `client_secret` from a matching DataPart (type=credentials) and performs a client\_credentials flow. Supported for `streamable_http` transport only; `sse` is not supported.

**Registration example:**

```json theme={null}
{
  "name": "medical-coding",
  "transportType": "streamable_http",
  "authorizationType": "oauth2.0",
  "url": "http://mcp-server-medical-coding.agents/mcp"
}
```

## Authorization via message DataParts

Authentication is supplied as an A2A DataPart with `kind: "data"` and the auth payload under `data`. The following fields are used:

* `type`: `token` or `credentials` (case-insensitive)
* `mcp_name`: MCP server name as registered (case-sensitive, trimmed)
* `token`: required when `type=token`
* `client_id` and `client_secret`: required when `type=credentials`

### Token example (for authorizationType=bearer or inherit override)

```json theme={null}
{
  "kind": "data",
  "data": {
    "type": "token",
    "mcp_name": "crm-mcp",
    "token": "eyJhbGciOi..."
  }
}
```

### Credentials example (for authorizationType=oauth2.0)

```json theme={null}
{
  "kind": "data",
  "data": {
    "type": "credentials",
    "mcp_name": "crm-mcp",
    "client_id": "abc",
    "client_secret": "def"
  }
}
```

## Processing rules and errors

* `type` is normalized to lowercase; only `token` and `credentials` are extracted
* DataParts do not change the MCP server `authorizationType`—make sure the DataPart type matches the server configuration
* Unknown or invalid auth DataParts are left in the message as normal parts
* `mcp_name` must be unique per message; duplicates return `mcp_auth_duplicate_name`
* Missing fields return:
  * `mcp_auth_missing_name`
  * `mcp_auth_missing_token`
  * `mcp_auth_missing_credentials`
* If `mcp_name` does not match any configured server, the DataPart is ignored

## When DataParts are used

* MCP tools are registered when a new thread is created (the first message). Include auth DataParts on that first message
* Later messages on the same thread do not re-register tools, so auth DataParts will be ignored for MCP registration
* In the API flow, extracted auth DataParts are removed from the message before it is stored or sent to reasoning

<Tip>
  For more information about the A2A protocol and DataParts, see [A2A Protocol](/agentic/a2a-protocol).
</Tip>

<Tip>
  For general information about MCP, see [MCP Protocol](/agentic/mcp-protocol).
</Tip>

<Note>Please [contact us](https://help.corti.app/) if you need more information about the Corti Agentic Framework.</Note>