IDP Compatibility
The Couchbase MCP Server acts as an OAuth 2.1 resource server, so it works with identity providers (IdPs) that can issue JWT access tokens carrying the server's scopes. Whether a given IdP fits depends mainly on how it handles scope strings.
Scope Compatibility — The General Rule
The server's built-in scopes are couchbase-mcp:read and couchbase-mcp:write.
-
Works out of the box — IdPs that let you define a scope string verbatim. The token can carry
couchbase-mcp:read,couchbase-mcp:write, or both — exactly as the server expects. -
Needs scope mapping or a different IdP — IdPs that impose their own scope format, so the issued scope won't match the built-in strings.
-
Not suitable — providers that issue opaque (non-JWT) tokens and/or fixed scope lists. They can't act as JWT resource-server authorization servers for custom scopes.
Per-Provider Support
OAuth support across popular identity providers is not consistent — the level of support varies from one IdP to the next, both in which methods they offer (M2M, non-DCR, DCR) and in details like the scope format they emit. There is no single behavior you can assume across providers, so use the table below as a reference guide when operating with an IdP and a particular method.
| Authorization server | Machine-to-Machine (client credentials) | Non-DCR (manual / pre-registered clients, user flow) | DCR (Dynamic Client Registration) |
|---|---|---|---|
| Auth0 | Yes | Yes | Yes |
| Descope | Yes | Yes | Yes |
| Stytch | Yes | Yes | Yes |
| Keycloak | Yes | Yes | Yes |
| Microsoft Entra ID | Yes | Yes | No |
| Okta | Yes | Yes | No |
| AWS Cognito | No | No | No |
| WorkOS / AuthKit | No | No | Yes |
| Google Identity | No | No | No |
| GitHub | No | No | No |
| Discord | No | No | No |