Skip to content

docs: clarify details for auth implementation #279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 22, 2025
Merged

docs: clarify details for auth implementation #279

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions docs/source/guides/auth.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,7 @@

The Apollo MCP server supports authorizing clients (e.g., LLMs) in accordance with [the MCP specification](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization).

<Callout type="note">
The current implementation passes through OAuth tokens from MCP clients directly to upstream GraphQL APIs, which violates the MCP specification. See [Limitations](/apollo-mcp-server/limitations#authorization-token-passthrough) for details and security considerations.
</Callout>
The current implementation passes through OAuth tokens from MCP clients directly to upstream GraphQL APIs. You can read more about [security considerations](/apollo-mcp-server/limitations#oauth-token-passthrough) when using this feature.

Check warning on line 7 in docs/source/guides/auth.mdx

View check run for this annotation

Apollo Librarian / AI Style Review

docs/source/guides/auth.mdx#L7 

The phrase "The current implementation" is impersonal. Use the product name for clarity and adopt a more reader-centric tone by using "your".

```suggestion
Apollo MCP Server passes OAuth tokens from your MCP clients directly to your upstream GraphQL APIs. Learn more about the [security considerations](/apollo-mcp-server/limitations#oauth-token-passthrough) for this feature.
```

## Implement authorization with Apollo MCP Server

Expand Down
6 changes: 1 addition & 5 deletions docs/source/limitations.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,13 +14,9 @@

Apollo MCP Server currently passes through OAuth tokens received from MCP clients directly to upstream GraphQL APIs.

This behavior violates the [MCP Authorization specification](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization), which states:

> "If the MCP server makes requests to upstream APIs, it may act as an OAuth client to them. The access token used at the upstream API is a separate token, issued by the upstream authorization server. The MCP server MUST NOT pass through the token it received from the MCP client."

#### Rationale

The decision to pass through tokens stems from practical enterprise requirements that conflict with the MCP specification:
The decision to pass through tokens stems from practical enterprise requirements that may conflict with the MCP specification. For example:

Check warning on line 19 in docs/source/limitations.mdx

View check run for this annotation

Apollo Librarian / AI Style Review

docs/source/limitations.mdx#L19 

The original phrasing is passive. Use the active voice for clarity. Also, use "might" instead of "may" to describe a potential occurrence.

```suggestion
Apollo passes through tokens to meet practical enterprise requirements, which might conflict with the MCP specification. For example:
```

- **Multi-user scenarios**: Enterprise GraphQL APIs often require direct user identity to perform granular access control and tenant isolation.
- **Existing enterprise patterns**: Many organizations have GraphQL APIs that depend on the original Authorization header to identify users and apply existing identity-based access controls.
Expand Down