OAuth 2.0 Authentication for MCP Server
OpenMetadata’s MCP Server supports OAuth 2.0 authentication, allowing you to connect AI assistants like Claude, Cursor, and VS Code directly using your existing OpenMetadata login. This is the same way you sign in to the OpenMetadata UI. No need to generate, copy, or rotate Personal Access Tokens.Why OAuth 2.0?
| Personal Access Token (PAT) | OAuth 2.0 | |
|---|---|---|
| Setup | Generate token, copy into config | Enter server URL, sign in via browser |
| Security | Token stored in plain text config files | No secrets stored locally |
| Expiration | Manual rotation when token expires | Tokens refresh automatically |
| Access | Must generate and manage tokens per user | Uses your existing OpenMetadata login |
OAuth 2.0 is the recommended way to connect MCP clients. PAT-based authentication remains supported for backward compatibility and environments where browser-based login is not available.
How It Works
Connecting via OAuth is simple:- Add your OpenMetadata MCP Server URL in your AI client (e.g.,
https://your-openmetadata-instance.com/mcp) - A browser window opens prompting you to sign in with your usual OpenMetadata credentials
- You’re connected and tokens are managed automatically in the background
Supported Authentication Methods
The MCP Server inherits the authentication method configured for your OpenMetadata instance. Whatever SSO provider your organization uses to sign in to OpenMetadata will also be used for MCP connections.Google SSO
Sign in with your Google Workspace account.
Azure AD SSO
Sign in with your Microsoft / Azure AD account.
Okta SSO
Sign in with your Okta account.
Auth0 SSO
Sign in with your Auth0 account.
Amazon Cognito
Sign in with Amazon Cognito.
Custom OIDC
Sign in with any OIDC-compatible provider.
SAML
Sign in with your SAML identity provider.
LDAP
Sign in with your LDAP / Active Directory credentials.
Changing Your Authentication Method
The MCP Server automatically uses the same authentication method configured for your OpenMetadata instance. To change how users authenticate:- Navigate to Settings in your OpenMetadata instance
- Go to the SSO configuration section
- Update the authentication provider (e.g., switch from basic auth to Google SSO)
Token Management
OAuth tokens are handled entirely by your MCP client with no manual management needed:- Access tokens are short-lived and automatically refreshed in the background
- Sessions stay active as long as you’re using the MCP client regularly
- Re-authentication is only needed if your refresh token expires after an extended period of inactivity (30 days)
Security
OpenMetadata’s MCP OAuth implementation follows industry-standard security practices:- PKCE (Proof Key for Code Exchange): Protects the authorization flow against interception attacks, even on desktop and CLI clients
- Encrypted token storage: All tokens are encrypted at rest in the OpenMetadata database
- Short-lived access tokens: Access tokens expire quickly, limiting exposure if compromised
- Automatic token refresh: Clients seamlessly refresh tokens without user interaction
- Rate limiting: Built-in protection against brute-force and abuse
- No secrets in config files: Unlike PAT-based auth, OAuth does not require storing any secrets on your local machine
Supported MCP Clients
Set up OAuth authentication with your preferred MCP client:Claude Desktop
Connect via Anthropic’s AI assistant.
Cursor
Connect via Cursor IDE.
VS Code
Connect via Visual Studio Code.
Claude Code
Connect via Claude Code CLI.
Goose
Connect via Block’s open-source AI agent.