MCP access methods
MCP supports API token–based access and OAuth2 integration with Workato Identity. Token–based access is set by default, but you can switch between access methods.
SWITCHING ACCESS METHODS
The MCP token is revoked when you switch from token-based access to Workato Identity. This means that users can no longer access the MCP server with token access.
OAuth2 access with Workato Identity
OAuth2 access enables you to govern access within Workato Identity. This enables you to control MCP server access centrally without managing separate tokens. OAuth2 access with Workato Identity provides your end users with a single sign-on (SSO) experience across MCP clients like Claude, Cursor, and Windsurf.
MCP and Workato Identity integration ensures enterprise-grade security centralized access management.
ALL USERS MUST BE ADDED TO A USER GROUP
You must have admin privileges to grant end-user access to an MCP server. Workspace owners, admins, and collaborators don't automatically have MCP server access. You must add all users, including yourself, to an end-user group to grant MCP access. Refer to Workato Identity end-user groups for more information.
Use Workato Identity for access
Complete the following steps to use Workato Identity for MCP server access:
Sign in to your Workato account.
Go to AI Hub and click the MCP Servers tab. A list of your existing MCP servers displays.
Click the MCP server card where you plan to use Workato Identity.
Click User access.
Go to the Access Method section and click the switch method toggle to open the Switch User Access Method modal.
Access Method section
Click Workato Identity.
Access Method
Click Confirm.
User groups
Use Workato Identity to manage your user groups.
ALL USERS MUST BE ADDED TO A USER GROUP
You must have admin privileges to grant end-user access to an MCP server. Workspace owners, admins, and collaborators don't automatically have MCP server access. You must add all users, including yourself, to an end-user group to grant MCP access.
User group MCP server access
You can provide access to specific MCP servers after you create a user group with Workato Identity.
Complete the following steps to grant a user group access to an MCP server:
Sign in to your Workato account.
Go to AI Hub > MCP servers and select the MCP server where you plan to add a user group.
Click the User access tab.
Ensure that the access method is set to Workato Identity.
Click Add user groups.
Click Add user groups
Use the User groups drop-down menu to select the user groups you plan to provide with access to the MCP server.
API token access
API token access enables you develop and test without SSO configuration. Admins can manage tokens in the MCP server User access page. Token-based access is assigned to MCP servers by default. Tokens are generated automatically when you create a new MCP server with token-based access selected.
Use token access
Complete the following steps to use token access:
Sign in to your Workato account.
Go to AI Hub and click the MCP Servers tab. A list of your existing MCP servers displays.
Click the MCP server card where you plan to use token access.
Click User access.
Ensure that the access method is set to Token-based access.
Go to Developer MCP Token section.
Click Generate token
Click Copy to copy the generated token.
Generate and revoke a token
Your existing token is automatically revoked when you generate a new token.
Complete the following steps to generate a new token and revoke an existing token:
Sign in to your Workato account.
Go to AI Hub and click the MCP Servers tab. A list of your existing MCP local servers displays.
Click the MCP server card where you plan to generate and revoke a token.
Click User access.
Go to Developer MCP Token and click Re-generate token. The Revoke previous token? modal displays.
Click Yes, revoke & generate. This revokes the existing token and generates a new token.
MCP CLIENT IMPACT
A token becomes invalid when you revoke it. MCP clients using the token lose access to the server and stop working.
Click Yes, revoke & generate
Proxy MCP server authentication
Proxy MCP servers support API token authentication. You can provide multiple parameters in the header, for example the client ID and client secret. Refer to Create a proxy MCP server for more information.
Last updated: