Written by: Wenxin Du, Software Engineer @ Google (Linkedin)
When connecting AI agents to enterprise databases, security is the greatest challenge. As agents graduate from sandbox environments into production, they inherit the strict data governance policies of the organization. Ensuring that an agent acts with the exact permissions of the end-user usually forces developers to build bespoke verification layers to intercept requests and inspect tokens.
The latest update to MCP Toolbox introduces generic Model Context Protocol (MCP) authorization support. This feature allows you to gate an entire MCP server or individual database tools behind standard OAuth2 Identity Providers without altering your agentic application logic.
By processing token verification at the configuration layer, Toolbox acts as an automated security perimeter. It validates incoming OAuth2 tokens against external authorization servers, ensuring that your agents strictly maintain the user’s chain of custody.
How It Works
Toolbox server intercepts incoming authorization headers when receiving a client request to its MCP endpoint. After extracting the OAuth2 token from the request header, Toolbox verifies its signature, checks the audience, and confirms that the required scopes are present. If the token is valid, the request proceeds smoothly; otherwise, Toolbox returns a “401 Unauthorized” for token verification failure or “403 Forbidden” error for missing scopes.
Step-by-Step Configuration
Setting up centralized authorization involves defining an identity provider in your configuration file and applying it to your tools.
Step 1: Configure the Identity Provider
You can configure Toolbox to validate tokens from your choice of identity provider. Below are configuration examples for both Google and Okta.
Option A: Setting Up Google OIDC Authorization (ID Token)
When the client is connecting using Google’s OIDC-compliant ID token, Toolbox will validate the token locally. You can configure the following to your authServices section:
kind: authServices
name: google-mcp-auth
type: generic
audience: ${YOUR_TOKEN_AUDIENCE}
authorizationServer: https://oauth2.googleapis.com/tokeninfo
mcpEnabled: true
scopesRequired:
- openid
- profile
The audience parameter must match the OAuth 2.0 Client ID generated in your Google Cloud Console. Enforcing mcpEnabled: true requires a valid Google token before listing or executing tools.
Option B: Setting Up Google Opaque Access Token Authorization
Alternatively, you can also use Google OAuth’s access token. Since access tokens are opaque, Toolbox needs to validate it against Google’s Token Info endpoint:
kind: authServices
name: google-auth
type: generic
audience: ${YOUR_TOKEN_AUDIENCE}
authorizationServer: https://accounts.google.com
introspectionEndpoint: https://www.googleapis.com/oauth2/v3/tokeninfo
introspectionMethod: GET
introspectionParamName: access_token
mcpEnabled: true
Option C: Setting Up Okta Authorization
For architectures relying on other authorization servers like Okta, you can route token verification through an Okta Custom Authorization Server using this configuration:
kind: authServices
name: okta-auth
type: generic
audience: ${YOUR_TOKEN_AUDIENCE}
authorizationServer: https://your-subdomain.okta.com/oauth2/default
mcpEnabled: true
scopesRequired:
- openid
- profile
Toolbox automatically discovered the authorization and token introspection endpoints from the `authorizationServer` URL configured. If the authorization server does not use a standard introspection endpoint, you can manually configure the introspection endpoint like the example above in Option B.
Step 2: Enforce Fine-Grained Tool-Level Scopes
Once your authorization service is active, you can also choose to enforce granular tool-level authorization. By adding the scopesRequired block directly to an individual tool configuration, Toolbox ensures the client’s token contains the specific permissions needed for that exact action.
kind: tool
name: update_flight_status
type: postgres-sql
source: my-pg-instance
statement: |
UPDATE flights SET status = $1 WHERE flight_number = $2
description: Update flight status
authRequired:
- okta-auth
scopesRequired:
- execute:sql
- write:flights
If an agent attempts to execute a tool without the correct privileges, Toolbox safely rejects the request with a structured HTTP “403 Forbidden” response and a challenge identifying the missing permissions.
Conclusion
With native MCP authorization support, Toolbox eliminates the need to build custom security frameworks for your AI applications. It allows you to enforce zero-trust security standards across your enterprise data tools while keeping your focus on building more capable, context-aware agents.
For more information on setting up token verification patterns, check out our Authentication Documentation. For more information on secure integrations with platforms like Looker, see Seamless AI-to-Data Integration: Using MCP Toolbox and PRM for Looker OAuth.
Securing AI agents with MCP Authorization was originally published in Google Cloud – Community on Medium, where people are continuing the conversation by highlighting and responding to this story.
Source Credit: https://medium.com/google-cloud/securing-ai-agents-with-mcp-authorization-5cd8a552c45b?source=rss—-e52cf94d98af—4
About the Author
