# MCP verified user access

Verified user access works through runtime user connections and allows each end user to authenticate with their own credentials when accessing a tool that requires authentication. This ensures that workflows perform actions using the identity and permissions of the individual user.

MCP verified user access only supports Recipe functions that use OAuth2 connections.

MCP verified user access requires end-users to authenticate with Workato Identity.

MCP VERIFIED USER ACCESS DOESN'T SUPPORT TOKEN AUTHENTICATION

MCP tools that require verified user access with a token-based access method are unsupported. Token authentication is supported for MCP tools that don't use verified user access.

# MCP verified user access authentication workflow

The MCP client checks the user's connection when a request is made. The MCP server verifies if the user has a valid connection to the required external service. The user receives an authentication prompt if the connection is missing or expired. The prompt includes a Workato-generated connection setup link that redirects the user to the Workato Identity login page.

The user is redirected to the external application that requires authorization after authentication with Workato Identity. Users must complete authorization sequentially if multiple applications require authorization. For example, the user is redirected to an OAuth consent screen for the external service, such as Jira or Salesforce. The system stores the connections linked to user's profile after the user authorizes access.

flowchart TD A([Request is made]) --> B(MCP client checks the user's connection) B -->C(Valid connection?) C -->|Yes| D(User authenticates with Workato Identity and accesses the external service) C -->|No| E(Authentication prompt for a missing or expired connection) E -->F(User authenticates with Workato Identity) F -->G(User is redirected to an OAuth consent screen for the external service) G -->H(System stores the connections linked to user profile after the authorizes access) classDef default fill:#67eadd,stroke:#b3e0e1,stroke-width:2px,color:#000; classDef WorkatoBlue fill:#5159f6,stroke:#5159f6,stroke-width:2px,color:#fff; class E,F,G,H WorkatoBlue

# Limitations

MCP verified user access has limitations for supported recipe type, connection type, and authentication methods. Refer to the following sections for more information.

# MCP verified user access and recipe functions

Recipe functions in MCP verified user access tools have specific configuration requirements due to inherited authentication from parent recipes. You must manually select the identity for recipe functions with verified user access enabled.

MCP verified user access tools only support Recipe functions that use OAuth2 connections.

Example scenarios

Recipe function identity requirements

Scenario: An MCP tool with verified user access enabled uses a recipe function.
Impact: The tool becomes unavailable and displays a warning icon.
Resolution: You must select the identity to enable the tool.

Recipe function connection type mismatch

Scenario: Recipe functions use the parent recipe connection, which allows any connection type. MCP server tools with verified user access only support OAuth2 connections.
Impact: Tools may be configured with incompatible authentication types, leading to failures.
Resolution: You must verify that parent recipe connections use OAuth2 before you use MCP verified user access with recipe functions.

# MCP verified user access authentication type

MCP verified user access tools don't support developer API tokens. Token authentication is supported for MCP tools that don't use verified user access. Your MCP tools display a warning and become unavailable if you switch from verified user access to developer token authentication.

# MCP verified user access and API recipes

API recipes aren't compatible with MCP verified user access tools. Your MCP tools fail and display an error if you attempt to use an API recipe with MCP verified user access.

# More resources

Last updated: 11/13/2025, 6:09:58 PM