Authorization determines what a token may do.
OAuth scopes
Provide standard scopes to external IdPs:
auth: {
type: 'remote',
name: 'frontegg',
baseUrl: 'https://idp.example.com',
scopes: ['openid','profile','email']
}
consent: true to display a post‑login consent listing your registered tools/resources/prompts. The issued access token includes the selected grants.
Modes (Remote OAuth)
Use the mode field to reflect deployment topology:
transparent (default): your server acts as a regular confidential client.orchestrated: gateway coordinates multiple apps/providers under one umbrella token (used in advanced multi‑app setups).
When splitByApp: true, configure auth per app; server‑level auth is disallowed.
Token lifetimes & sessions
- Stateful sessions: tokens are encrypted server‑side; clients hold a lightweight reference. Smooth refresh.
- Stateless sessions: tokens ride inside JWT; simple but no silent refresh of upstream tokens.
