Skip to content
Roster Roster Roster Docs

MCP Authentication

The MCP endpoint supports multiple authentication modes:

ModeBehavior
ROSTER_MCP_AUTH_MODE=api_keyRequires Authorization: Bearer rst_....
ROSTER_MCP_AUTH_MODE=oauthRequires a Roster OAuth access token with the /mcp audience.
ROSTER_MCP_AUTH_MODE=api_key,oauthAccepts either API keys or OAuth bearer tokens.

Production deployments must configure an authenticated MCP mode before exposing the endpoint.

API Keys

Section titled “API Keys”

API-key MCP access uses bearer auth:

Authorization: Bearer rst_...

Individual tools enforce mcp:* scopes.

API-key scopes do not elevate the owner. Effective access is the key scopes intersected with the owning identity’s role, project access, and resource rules. The legacy all scope expands only the scope dimension.

OAuth

Section titled “OAuth”

OAuth mode requires a Roster OAuth access token with the /mcp audience. OAuth consent offers write and label scopes only to admins and effective project owners. Ordinary members can approve mcp:resolve and non-label read scopes, with tool execution still enforcing resource authorization. Relevant environment variables:

ROSTER_MCP_RESOURCE_URI
ROSTER_OAUTH_DYNAMIC_CLIENT_REGISTRATION
ROSTER_OAUTH_UNAUTHENTICATED_CLIENT_REGISTRATION
ROSTER_OAUTH_ACCESS_TOKEN_TTL_SECONDS
ROSTER_OAUTH_REFRESH_TOKEN_TTL_SECONDS
ROSTER_OAUTH_AUTH_CODE_TTL_SECONDS