Alpic natively handles the authentication methods supported in MCP: API keys via HTTP headers and OAuth 2.1 with dynamic client registration (DCR). But, more importantly, for companies using IDPs that do not support DCR, we’ve built a delegation proxy to safely authenticate MCP clients on your server.

Why a DCR proxy?

Adding OAuth to MCP was a breakthrough that unlocked broad adoption. But many IdPs don’t support OAuth 2.1 and DCR, and many businesses don’t want the hassle of sorting, filtering and curating thousands of newly created OAuth clients, making these workflows hard to implement in practice.

Originally, OAuth solved the problem of apps sharing passwords between them. Instead of handing over credentials, users grant one app limited access to their data on another app or service via tokens tied to a fixed redirect URL. This worked when apps had known addresses and all destinations were pre-registered.

AI agents break this model. Your MCP server may be discovered by Claude today, a local dev agent tomorrow, and another assistant next week. Each runs at a different callback URL you can’t anticipate. 

OAuth 2.1 addressed this with Dynamic Client Registration, enabling discoverability and registration on the fly. But providers resist DCR because it removes key controls and adds complexity. Manual registration enforces terms, rate limits, and accountability, while reducing abuse and the hassle of registering thousands of clients on the fly.

We built the Alpic DCR Proxy to bridge this gap and to eliminate the complexity of DCR for MCP developers. Simply issue a single OAuth client from your IdP, and leave Alpic to  manage the creation of as many downstream clients as needed. We also enforce policy, i.e. filtering or removing malicious clients, so your IdP stays clean and manageable. 

How it works

Configure your MCP server to advertise your IdP through OAuth metadata endpoints without mentioning a registration_endpoint property. The easiest way to do this is to rely on the MCP SDK helpers. In TypeScript that looks like:

import { mcpAuthMetadataRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";

//...

app.use(
  mcpAuthMetadataRouter({
    oauthMetadata: {
      authorization_endpoint: "https://my-idp.com/oauth2/authorize",
      token_endpoint: "https://my-idp.com/oauth2/token",
      response_types_supported: ["code"],
      issuer: "http://localhost:3000",
    },
    resourceServerUrl: new URL("http://localhost:3000"),
  })
);

app.listen(3000);

To activate Alpic DCR, create a single OAuth client on your IdP. This will be proxied by Alpic for every request users make to identify on your server. Choose a name that is user-friendly in case it’s displayed during the process.

The callback URL for this client is specified by Alpic when activating DCR. It can be found in your project’s Settings tab, under the option to activate Alpic DCR. Fill in the activation form with newly created OAuth client ID, secret and scopes to complete the DCR proxy setup.

Get started

For more information on using the Alpic DCR proxy, as well as how to build your MCP server to work with OAuth 2.1 and API key authentication, have a look at our docs.   

And to deploy your first MCP server in seconds, get started on app.alpic.ai today!