Authorization
8 architecture patterns
Topology
Enforcement
Inbound MCP Protection
Protect your MCP server from external agents
Step 1 / 5
Agent presents token
Any agent (1st-party or 3rd-party) sends a request to Meridian's MCP server with a JWT Bearer token. The token was issued by Auth0 during prior authentication.
POST /mcp/tools/get_portfolio
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...
Content-Type: application/json
{ "account_id": "ACC-4521" }Scenarios
1st-party advisor reads portfolio
Token has read:portfolio scope -- full portfolio data returned
3rd-party assistant reads balance
Token has read:portfolio_balance -- balance returned (no holdings detail)
3rd-party assistant tries to trade
Token missing execute:trades scope -- returns 403 insufficient_scope
Expired token from any agent
JWT exp claim is in the past -- returns 401 token_expired