io.modelcontextprotocol/enterprise-managed-authorization) enables organizations to control MCP server access centrally through their existing identity provider (IdP). Instead of each employee authorizing each MCP server individually, the organization’s IT or security team manages access policies in one place.
Specification
Full technical specification for the Enterprise-Managed Authorization
extension.
What it is
In a standard MCP deployment, each user independently authorizes an MCP client to access each MCP server. For consumer applications, this user-driven model is ideal — it gives individuals control over what accesses their data. In enterprise environments, this model creates friction and security gaps:- Employees shouldn’t need to understand the authorization details of every MCP server their organization uses
- Security teams can’t enforce consistent access policies if each user authorizes independently
- Onboarding new employees requires them to manually authorize dozens of services
- Offboarding requires revoking access across every service individually
When to use it
Use Enterprise-Managed Authorization when:- Deploying MCP in a corporate environment where IT manages access to all business applications
- Enforcing organizational access policies — you need to ensure only authorized employees access specific MCP servers
- Centralizing access control — you want to add or revoke access to MCP servers from a single admin console
- Meeting compliance requirements — your organization needs an auditable authorization trail for all MCP server access
- Simplifying employee experience — employees should access MCP tools with their existing corporate SSO credentials, without per-service authorization flows