Skip to main content
JWT validation enables Portkey to verify tokens from your identity provider before processing MCP requests. Use with External OAuth to bring your own IdP.

When to Use

Organizations with existing identity providers (Okta, Auth0, Azure AD, Cognito) can use JWT validation. Users authenticate through the IdP, and MCP access works the same way. Flow:
  1. Users get a token from the IdP
  2. Token included in MCP requests
  3. Portkey validates the token against the IdP
  4. Valid requests proceed with user identity attached
Portkey never handles user credentials. Your IdP remains the source of truth for identity.

Validation Methods

Configure one validation method per MCP server. Each has different tradeoffs.

JWKS URI

Fetch public keys from your IdP’s JWKS endpoint. This is the standard approach for most identity providers.
Portkey fetches keys and caches them (default: 24 hours). When a key rotates, Portkey automatically refetches the JWKS if verification fails with the cached key. Best for: Most production deployments. Minimal configuration, automatic key rotation.

Inline JWKS

Embed public keys directly in the configuration. Use for self-contained deployments or environments without a JWKS endpoint.
Update keys manually when they rotate. Best for: Air-gapped environments, testing, or when IdP doesn’t expose JWKS.

Token Introspection (RFC 7662)

For opaque tokens that require real-time validation. Portkey calls your IdP’s introspection endpoint.
The introspection endpoint must return a JSON response with an active boolean field per RFC 7662. Best for: Opaque tokens, real-time revocation checking, or validating token status against the IdP on every request.

Configuration Reference

Core Options

Timing Options

Introspection Options

Claim Validation Options


Custom Token Header

By default, Portkey reads the token from the Authorization header. For a different header:
Agents then send:

Require Specific Claims

Tokens must include these claims or they’re rejected:
If a token is missing sub, email, or groups, Portkey returns:

Validate Claim Values

Check that claims have expected values:

Match Types


Header-Payload Matching

Ensure that claims in the JWT header match claims in the payload. This provides additional security for tokens that include claims in both locations.
If a specified claim exists in both the header and payload, they must have identical values. If they don’t match, the token is rejected. Use case: Some IdPs include certain claims in both the protected header and the payload. This validation ensures consistency and detects tampering.

Caching Behavior

JWKS Caching

  • Keys cached for 24 hours by default (configurable via cacheMaxAge)
  • CryptoKeys are pre-imported and cached for performance
  • If signature verification fails with a cached key, Portkey refetches the JWKS (handles key rotation)

Introspection Caching

  • Not cached by default (every request calls the introspection endpoint)
  • Enable caching with introspectCacheMaxAge (in seconds)
  • Cached results respect token expiry—expired tokens aren’t served from cache
Example with caching:
With this configuration:
  • First request: calls introspection endpoint, caches result
  • Subsequent requests (within 5 minutes): uses cached result
  • After 5 minutes: calls introspection endpoint again
Tradeoff: Shorter cache means more latency but faster revocation detection. Longer cache means better performance but slower revocation response.

Performance Optimizations

Portkey optimizes JWT validation for production workloads: Typical validation latency:
  • JWKS (cache hit): < 1ms
  • JWKS (cache miss): 50-200ms (network fetch)
  • Introspection (uncached): 50-300ms (depends on IdP)
  • Introspection (cached): < 1ms

Example: Okta Integration

Example: Auth0 Integration

Example: Azure AD Integration


Combining with Identity Forwarding

JWT validation extracts user claims from the token. Identity forwarding passes those claims to MCP servers:
Flow:
  1. User sends request with IdP token
  2. Portkey validates token, extracts claims
  3. Portkey forwards claims to MCP server
  4. MCP server uses claims for authorization/logging
See Identity Forwarding.

Error Responses


Last modified on April 2, 2026