The Access tab replaces the Access token tab. You can use this tab to manage how users and clients authenticate with an MCP server.
You can select Celigo as the built-in identity provider, or configure an external provider. You can also use API tokens for non-interactive access. API tokens are available regardless of the identity provider you select.
-
You must have an admin role in the Celigo account.
-
If you use an external identity provider, you need the Issuer URL and Audience from that provider.
-
You can optionally provide a Client ID and Client Secret, but they are required only when Introspection is selected as the token validation method.
-
Get your MCP client installed (Cursor or Claude).
Celigo MCP servers offer two OAuth-based identity provider modes alongside API token authentication. You can enable both OAuth and API tokens simultaneously on a single server.
-
Authentication
-
Celigo (default): Uses Celigo login credentials; if SSO is active, users are automatically routed to your provider. This is the recommended option because it requires zero configuration, supports transparent SSO (Google Workspace, Okta, Azure AD, and any SAML/OIDC provider), enables per-user access management directly in Celigo, and is required for upcoming per-user connection features. New MCP servers using Celigo authentication are ready to accept OAuth connections immediately with no additional setup required.
-
External: Authenticates via third-party providers (for example, Auth0, Okta) with permissions managed through the IdP. Use this option only if your organization has a specific requirement to authenticate MCP connections through a dedicated external IdP that is separate from your Celigo SSO configuration. Note that when External is selected, the Users section is hidden (access is managed at the IdP level), per-user usage visibility is limited, and upcoming per-user connection features will not be available.
Tip
If your organization requires SSO, you do not need the External option for that. Celigo authentication already supports SSO when a user signs in with their Celigo credentials and your account has SSO configured, they are automatically redirected to your SSO provider. If you are unsure which option to choose, use Celigo.
-
-
API Token: Uses a fixed bearer token for authentication, bypassing interactive login screens. This is best for automation, service accounts, or legacy clients lacking OAuth support.
By default, all new MCP servers use Celigo. Perform the following steps to switch providers:
Important
When an external identity provider is selected, the Access tab no longer displays the Users list, as your IdP manages all access permissions. Furthermore, individual per-user logins (such as Gmail or Salesforce) are not supported when using external IdPs.
Select an identity provider
-
Go to AI studio → MCP servers and select the server.
-
In the Access tab. On the left, by default, the Authentication tab is selected.
-
You can configure either of the following authentication Type under Identity provider:
-
Celigo: It includes the Users section that provides user details in the following columns:
Note
If no users have been added yet, the Users section displays, "No users assigned to this MCP server."
-
Name: Displays user name
-
Email: Displays user email ID
-
Actions: Provides an option to delete a user.
Complete the following steps to add an existing user:
Note
If you’re an account owner or admin, you can invite new users and manage users with different roles and permissions to your account in the Users tab.
-
Click + Add users.
-
Use the Select users drop down list to select a users.
-
Click Save & close.
-
The selected users are displayed under the Users section.
-
-
External: Previously, you entered external IdP settings separately on each MCP server. Now, you configure an external IdP once at the account level and reference it from any MCP server.
-
If you have previously created a user, use the External provider drop down to select an existing IDP.
Or
-
Click Create external provider to add a new one and enter the required details:
-
Name: Name your external provider.
-
Issue URL: The expected token issuer (iss). Copy this from a real access token issued by your IdP.
-
Audience: The expected token audience (aud). The MCP server accepts tokens only if their audience matches this value.
-
Token validation: Select how an MCP server validates access tokens.
-
JWKS (JSON web key set): Validates JWT access tokens locally using the issuer’s JWKS. Requires JWT access tokens.
-
Introspection: Validates tokens by calling the issuer’s introspection endpoint. Use this for opaque tokens or revocation-sensitive setups. Requires Client ID (required) and Client Secret (optional).
Client ID and Client secret (Introspection only): Credentials used by an MCP server to authenticate the issuer’s introspection endpoint. Store these securely and rotate them if exposed.
-
-
Permissions: Select the permissions this MCP server requires.
-
mcp:read: Allows read-only / non-destructive MCP operations.
-
mcp:write: Allows operations that may change data or state.
Important
The token must include the required scopes (commonly in a scope or scp claim, depending on IdP). If a token is valid but missing required scopes, access will be denied.
-
-
-
Click Save & close.The newly created external provider name is displayed in the External provider field. You have options to Edit or Delete the selected provider.
-
-
-
Click Save & close.
If you configure an external identity provider, be aware of the following compatibility limitations:
-
Auth0: Supported when the Resource Parameter Compatibility Profile is enabled
-
Microsoft entra ID: Currently unsupported for MCP OAuth because it does not support the resource parameter in authorization requests.
-
Google identity: Currently unsupported as an external IdP for MCP OAuth because Google Identity may reject the MCP server's requested scopes, resulting in an `invalid_scope` error.
Tip
If your organization uses Google for SSO, select Celigo as the identity provider. Celigo authentication supports Google SSO and automatically routes users through your Google Workspace sign-in.
-
In the Access tab, If you don’t have any existing tokens click Create token.
If you have previously created a token, click + Create token in the upper right side of the page.
Important
If you have created API tokens under the previous Access tokens tab, they continue to work and appear in the following:Home page > AI studio > MCP Servers > [server] > Access tab > API tokenHome page > Resources > API tokens.
-
Home page → AI studio → MCP Servers → [server] → Access tab → API token
-
Home page → Resources → API tokens
-
-
In the General section, enter the required details.
-
Name your API token, for example, Get a token.
-
Describe your API token (optional).
-
Select the required time to auto purge a token: Never, 1 hour, 4 hours, 1 day, 4 days, 10 days, or 30 days.
-
-
Click Save.
Maintaining an API token after it's been created is very straightforward. The Access section lists all the API tokens you've created, including:
-
Name: Displays the name you gave your API token
-
Status: Displays current API token status (Active or inactive)
-
Auto purge: Displays time selected for the API token to auto purge
-
Last updated: Displays the last updated date and time
-
Token: Displays the token to copy, click Show token and select the copy button
-
Actions: You can perform the following action for each token:
-
Edit token
-
Revoke API token
-
Generate new token
-