When using the token mode (mode: "token"), the MCP server validates service account tokens using a static public key. These tokens are JSON Web Tokens ( JWTs) signed with a private key and verified against the configured public key. This mode does not involve dynamic key discovery or OAuth flows, making it suitable for simple deployments where pre-shared keys are acceptable. However, you must ensure that the public key is securely stored and rotated periodically.

The following example shows how to configure token mode for service account authentication:
{
  "service_account": {
    "enabled": true,
    "mode": "token",
    "header": "X-OEMCP-SERVICEACCOUNT",
    "prefix": "Bearer ",
    "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----",
    "issuer": "my-auth-server"
  }
}