Skip to main content

MCP Identity

MCP Identity lets your AI agent access user data (Gmail, Calendar, Drive, etc.) without handling OAuth credentials directly. Users connect their accounts once, and MCP Rank stores their tokens securely server-side.

Key Concepts

Server-Side Token Storage

Unlike traditional OAuth integrations where you store tokens in your database, MCP Rank handles all token storage:
  • You provide: A user_id (your user’s ID in your system)
  • We store: OAuth tokens encrypted with AWS KMS
  • You receive: An MCP Identity Token (MIT) for making requests
This means you never see or handle Google OAuth tokens directly.

MCP Identity Token (MIT)

The MIT is a short-lived JWT (1 hour) that identifies your user:
Use this token in the Authorization header when making proxy requests.

Just-In-Time (JIT) Authentication

When your agent needs to access user data:
  1. Request fails with “provider not connected”
  2. SDK automatically opens browser for OAuth
  3. User authorizes access
  4. Tokens stored server-side
  5. Request retries and succeeds

How It Works

The simplest way to use MCP Identity is with the Agent class:

Environment Detection

The SDK automatically detects your environment and handles auth appropriately:

Option 2: Low-Level Client (Manual Control)

For custom UIs or more control:

Token Lifecycle

Automatic Refresh

The SDK handles token refresh automatically. MITs expire after 1 hour, and OAuth tokens are refreshed server-side when needed.

Manual Refresh

If needed, you can manually refresh:

Revoke Access

Let users disconnect their accounts:
Users can also revoke access from the MCP Rank dashboard or their Google account settings.

Handling AuthRequiredError

When using the low-level client without auto_auth, you’ll receive an AuthRequiredError when authentication is needed:

Supported Providers

Security

  • KMS Encryption: OAuth tokens encrypted at rest using AWS KMS (HSM-backed)
  • Short-Lived MITs: Identity tokens expire in 1 hour
  • Automatic Refresh: OAuth tokens refreshed server-side, rotated regularly
  • User Control: Users can revoke access anytime from dashboard or provider settings
  • No Token Exposure: Your application never sees raw OAuth tokens