How It Works
Configuration
Enable progressive auth with orchestrated mode:Authorization Hierarchy
Progressive auth operates at three levels:Token Vault
The token vault stores per-app credentials and expands as users authorize more apps:Initial State
Session Token:
user-123Vault:- CRM: Authorized
After Slack Auth
Session Token:
user-123 (same)Vault:- CRM: Authorized
- Slack: Authorized
After GitHub Auth
Session Token:
user-123 (same)Vault:- CRM: Authorized
- Slack: Authorized
- GitHub: Authorized
The session token remains the same. Only the token vault expands with new app credentials.
Authorization Response
When a tool requires unauthorized access, FrontMCP returns:Handling in Clients
Consent UI
The built-in consent UI lets users choose which apps to authorize:Multi-Provider Setup
App Configuration
Server Configuration
Standalone vs Nested Apps
Apps can be configured as standalone (direct access) or nested (under parent):| Configuration | Direct Access | Federated Auth |
|---|---|---|
standalone: true | /slack/oauth/authorize | Also in parent consent |
standalone: false (default) | N/A | Only via parent |
Skip and Authorize Later
Users can skip apps during initial consent and authorize later:Skipping
Later Authorization
Session Token Structure
OpenAPI Adapter Integration
When using OpenAPI adapters, tools are automatically grouped by auth provider:Best Practices
Request minimal scopes - Only ask for what each tool needs
Provide clear descriptions - Users should understand why each app is needed
Handle auth errors gracefully - Show friendly messages with auth links
Use stateful sessions - Required for token vault to work
Test the skip flow - Ensure skipped apps can be authorized later
Troubleshooting
Token vault not updating
Token vault not updating
- Ensure
sessionMode: 'stateful'is configured - Check Redis connectivity if using Redis storage
- Verify the session ID matches across requests
Auth link not working
Auth link not working
- Check the
auth_urlincludes correct app and scope parameters - Verify the app is registered with the server
- Ensure redirect URIs are configured correctly
Skipped apps won't authorize
Skipped apps won't authorize
Next Steps
Remote OAuth
Configure external identity providers
Tokens & Sessions
Token lifecycle and session management
Production Checklist
Security requirements for deployment
Authorization Modes
Choose the right auth mode