Configure service account authentication
- Last Updated: February 11, 2026
- 1 minute read
- OpenEdge
- Version 13.0
- Documentation
The service account configuration asserts the server identity. The
security.authentication.service_account configuration defines
how the MCP server authenticates itself as a trusted entity. This is critical for
environments where requests must originate from a verified source. The service
account uses JWT tokens for authentication and supports two modes:
- Token mode—Uses a static
Ed25519public key for verification. - OAuth mode—Uses a remote JWKS endpoint for dynamic key validation.
Service account authentication may be required for every request in production environments.
The following table lists the key properties in
security.authentication.service_account:| Property | Purpose | Typical use |
|---|---|---|
enabled |
Enable or disable service account authentication | Turn off for quick proof of concept |
required |
Reject requests without a valid SA JWT | Enable in production |
mode |
Authentication mode: "token" or
"oauth" |
"token" for static keys,
"oauth" for JWKS or OAuth proxy |
header |
Incoming SA header name | Default is X-OEMCP-SERVICEACCOUNT |
public_key |
Ed25519 public key (PEM) | Used for local static verification when mode is
"token" |
jwks_uri |
Remote JWKS endpoint | Supports key rotation when mode is
"oauth" |
issuer |
Expected iss claim |
Used for multi-tenant trust or external OAuth providers |
client_id |
OAuth client ID for proxy mode | Required for OAuth proxy to external providers |
client_secret |
OAuth client secret for proxy mode | Required for confidential OAuth clients |
required_scopes |
Scopes SA must always include | Provides baseline gating |
prefix |
Accepted prefix (for example,
Bearer) |
Normalizes headers |
sso_mode |
Enable OAuth Single Sign-On | Forces mode "oauth", header
"Authorization", prefix "Bearer
" |
bearer_methods_supported |
OAuth bearer methods supported | Default is ["header"]; can include
["body", "query"] |
resource_documentation |
URL to API documentation | Supports RFC 9728 metadata |
resource_policy_uri |
URL to token processing policy | Supports RFC 9728 compliance |
revocation_endpoint |
OAuth token revocation endpoint | Supports RFC 7009 |
introspection_endpoint |
OAuth token introspection endpoint | Supports RFC 7662 |
require_metadata_on_401 |
Include resource metadata in 401 responses | Default is true; adds resource_metadata in
WWW-Authenticate header |
Note: If both
public_key and jwks_uri are
present, the server attempts static Ed25519 verification first
and falls back to JWKS.