Authentication flow comparison
- Last Updated: December 23, 2025
- 1 minute read
- OpenEdge
- Version 12.8
- Documentation
The following table compares authentication patterns and their characteristics:
| Authentication pattern | SA token header | Downstream token | Downstream token | Token exchange | Use case |
|---|---|---|---|---|---|
| Token (Static Keys) | X-OEMCP-SERVICEACCOUNT |
User token | None | Optional | Simple pre-shared keys |
| OAuth (Separate Tokens) | X-OEMCP-SERVICEACCOUNT |
User token | None | Optional | Enterprise with separate SA or user tokens |
| OAuth SSO (External Flow) | Authorization |
Same OAuth token | None | Optional | Client handles OAuth with IdP directly |
| OAuth SSO (MCP Flow) | Authorization |
Same OAuth token | /authorize, /token,
/callback |
Optional | MCP server simplifies OAuth integration |
| Token Exchange (PAS for OpenEdge) | X-OEMCP-SERVICEACCOUNT |
Exchanged PAS for OpenEdge token | None | Required | PAS for OpenEdge backend integration with scoped tokens |
Note: In all patterns, the MCP server performs both
authentication validation and MCP tool execution. The difference is where the OAuth2
authorization flow occurs, externally or through the OAuth endpoints of the MCP
server.