Skip to main content
Version: 1.0

IDP Compatibility

The Couchbase MCP Server acts as an OAuth 2.1 resource server, so it works with identity providers (IdPs) that can issue JWT access tokens carrying the server's scopes. Whether a given IdP fits depends mainly on how it handles scope strings.

Scope Compatibility — The General Rule

The server's built-in scopes are couchbase-mcp:read and couchbase-mcp:write.

  • Works out of the box — IdPs that let you define a scope string verbatim. The token can carry couchbase-mcp:read, couchbase-mcp:write, or both — exactly as the server expects.

  • Needs scope mapping or a different IdP — IdPs that impose their own scope format, so the issued scope won't match the built-in strings.

  • Not suitable — providers that issue opaque (non-JWT) tokens and/or fixed scope lists. They can't act as JWT resource-server authorization servers for custom scopes.

Per-Provider Support

OAuth support across popular identity providers is not consistent — the level of support varies from one IdP to the next, both in which methods they offer (M2M, non-DCR, DCR) and in details like the scope format they emit. There is no single behavior you can assume across providers, so use the table below as a reference guide when operating with an IdP and a particular method.

Authorization serverMachine-to-Machine (client credentials)Non-DCR (manual / pre-registered clients, user flow)DCR (Dynamic Client Registration)
Auth0YesYesYes
DescopeYesYesYes
StytchYesYesYes
KeycloakYesYesYes
Microsoft Entra IDYesYesNo
OktaYesYesNo
AWS CognitoNoNoNo
WorkOS / AuthKitNoNoYes
Google IdentityNoNoNo
GitHubNoNoNo
DiscordNoNoNo

See Also