The MCP server enforces dual authentication to secure tool invocation. Dual authentication validates both the service account and the end-user identity before processing requests. This approach ensures that automation scripts and human users are authenticated independently, reducing the risk of unauthorized access.

The components of dual authentication are:
Authentication type Description
Service account Uses JWT (Ed25519 static or JWKS). Provides server or automation identity. For detailed information, see Configure service account authentication.
User authentication Uses opaque token or structured JWT. Conveys end-user context. For detailed information, see Configure user authentication.
For more information on service acount and user credentials authentication, see Authentication.

For more detailed information on service account authentication modes, PKCE flow for secure OAuth2 authentication, and Token exchange pattern for PAS for OpenEdge integration, see Configure service account authentication.

Header normalization flow

Header normalization flow is the process of sanitizing and restructuring HTTP headers during authentication so that only the necessary credentials are forwarded downstream. This prevents sensitive information, such as service account tokens, from leaking to other services.

These steps outline how headers are normalized during authentication:
  1. Extract the service account header (for example, X-OEMCP-SERVICEACCOUNT) and verify the JWT if enabled.
  2. Extract the user credential. If token exchange is enabled, exchange the credential for a new token.
  3. Compose the outbound Authorization header using only the user token. The service account header is never forwarded downstream.