OAuth Integration for MCP

Artificial Intelligence > Model Context Protocol (MCP) > OAuth Integration for MCP

The Model Context Protocol (beta) is currently offered in preview mode and provides only basic functional validation. Full qualification and expanded capabilities will be introduced in future releases.

The MCP Specification requires its MCP Server to operate as an OAuth Resource Server, including support for exposing protected resource metadata.

Previously, ThingWorx supported OAuth in Resource Provider mode but did not expose protected resource metadata, which limited interoperability with MCP-compliant clients.

The ThingWorx Platform now fully supports OAuth protected resource metadata in Resource Provider mode. This ensures compliance with the MCP standard and enables seamless integration with external OAuth-enabled MCP clients.

New configuration options have been added to the Resource Server settings, including:

• Authorization server definitions

• Global resource names

• URI-specific resource naming

These enhancements improve security, standardization, and interoperability across MCP-enabled ecosystems.

Configuration

The following example shows how to configure the ThingWorx Platform to operate as an OAuth Resource Server that complies with MCP requirements. This configuration enables the platform to define authorization servers, global resource identifiers, and URI-level access scopes.

Configurations are now available in resourceServerSettings.json file. For more information, see Configure ThingWorx as a Resource Provider.

{
"ResourceServerSettings": {
    "authorizationServers": "<Authorization_Server>",
    "globalResourceName": "ThingWorx Resource
    }
    "uriScopes": [
       {
            "uri": "/Things/**",
            “scopes": "THINGS",
            "method": "GET",
            "resourceName": “
   ]
}

Configuration Details
Setting	Description
authorizationServers	Specifies the OAuth authorization servers that the ThingWorx Resource Server will trust for token validation.
globalResourceName	Defines the default protected resource namespace applied across the platform when no URI-specific resource name is defined.
uri	Present under uriScopes. The API path or wildcard pattern to protect.
scopes	Present under uriScopes. The OAuth scope required to access this endpoint.
method	Present under uriScopes. The HTTP method (for example, GET, POST).
resourceName	Present under uriScopes. Optional override to associate a specific protected resource with this URI.

This configuration enables ThingWorx to expose protected resource metadata, making it compliant with OAuth-based MCP clients and improving secure interoperability across the ecosystem.

Was this helpful?