← Back to news

Zero-Touch OAuth for MCP

Original article
blog.modelcontextprotocol.io|237 points|95 comments|by niyikiza|Jun 18, 2026

Enterprise-Managed Authorization: Zero-Touch OAuth for MCP

The Enterprise-Managed Authorization (EMA) extension for the Model Context Protocol has officially reached stable status. This update allows organizations to centrally orchestrate MCP server permissions via their identity provider (IdP), ensuring that users are automatically connected to necessary servers upon their initial login—completely eliminating the need for repetitive, per-app OAuth flows.

Published: June 18, 2026 | Reading Time: 5\approx 5 min | Author: Paul Carleton (Core Maintainer)

📌 Table of Contents

The Friction of Per-User Auth {#the-friction-of-per-user-auth}

Historically, the MCP authorization framework was built around user-scoped access and interactive authentication. While this is ideal for consumers, it creates a "bottleneck" in corporate settings.

Manual per-server authorization is simply not scalable for the enterprise. The primary pain points include:

  • Onboarding Fatigue: Every single employee must manually authorize every single server.
  • Governance Gaps: Security teams lack a central audit trail; access is fragmented across individual user choices.
  • Identity Blur: Without a corporate mandate, users often accidentally link personal accounts to professional tools.

In mathematical terms, the friction of onboarding can be viewed as: Total Friction=i=1n(Auth Processi×User Effort)\text{Total Friction} = \sum_{i=1}^{n} (\text{Auth Process}_i \times \text{User Effort}) Where nn is the number of MCP servers.

Because there was no universal standard for shared auth states, many companies resorted to brittle, custom-coded workarounds.

The Solution: Inherited Authorization {#the-solution-inherited-authorization}

EMA transforms the organization's IdP into the primary authority for MCP access. Instead of the user deciding what to connect, administrators define the policy once, and users inherit those permissions.

How it Works (The Technical Flow)

The process utilizes a specialized handshake to bypass the interactive consent screen:

  1. SSO Login: The user authenticates with the MCP host.
  2. Assertion: The client receives an Identity Assertion JWT Authorization Grant (known as an ID-JAG) from the IdP.
  3. Exchange: The client swaps this ID-JAG for a specific access token from the MCP server's auth server.

Key Advantages

FeatureStandard MCP AuthEnterprise-Managed Auth (EMA)
User ExperienceManual, repetitive promptsZero-touch on first login
Control PlaneUser-centricAdmin-centric (via IdP)
AuditabilityFragmented/NoneCentralized in IdP console
Account SecurityPersonal/Work mix possibleStrict corporate identity enforcement

"By embedding the Cross App Access protocol into MCP... we turn identity into a centralized governance plane and give security teams strict compliance control." — Aaron Parecki, Director of Identity Standards, Okta

The Ecosystem: Early Adopters {#the-ecosystem-early-adopters}

The stabilization of EMA is the result of a tripartite collaboration between identity providers, clients, and server developers.

EMA Ecosystem Diagram

🛠️ Implementation Matrix

RoleEntityImplementation Detail
Identity ProviderOktaUtilizes Cross App Access (XAA) for provisioning.
ClientsAnthropicIntegrated into the shared layer for Claude, Claude Code, and Cowork.
VS CodeNative EMA support within the IDE.
ServersVariousAsana, Atlassian, Canva, Figma, Granola, Linear, Supabase.

Note: Slack and other major platforms are currently adding support.

Industry Perspectives

"The Figma MCP brings the power of code and canvas together... XAA makes it easier for enterprises to scale their MCP deployments securely without slowing teams down." — Devdatta Akhawe, VP of Engineering, Figma

"Logging in once and automatically having all your MCP connectors automatically setup is pretty magical." — Tom Moor, Head of Engineering, Linear

Call to Action {#call-to-action}

We are actively seeking more partners to integrate this standard to eliminate "authorization fatigue."

Developer Checklist:

  • Review the EMA extension specification.
  • Evaluate ID-JAG implementation for your server.
  • Test XAA integration if you are an identity platform.
  • Provide feedback to the core maintainers.

For more details, please refer to the Enterprise-Managed Authorization requirements documentation in the official MCP repository.