Skip to main content
Authorization determines what a token may do.

OAuth scopes

Provide standard scopes to external IdPs: 
auth: {
  type: 'remote',
  name: 'frontegg',
  baseUrl: 'https://idp.example.com',
  scopes: ['openid','profile','email']
}
Set consent: true to display a post‑login consent listing your registered tools/resources/prompts. The issued access token includes the selected grants.

Modes (Remote OAuth)

Use the mode field to reflect deployment topology:
  • transparent (default): your server acts as a regular confidential client.
  • orchestrated: gateway coordinates multiple apps/providers under one umbrella token (used in advanced multi‑app setups).
When splitByApp: true, configure auth per app; server‑level auth is disallowed.

Token lifetimes & sessions

  • Stateful sessions: tokens are encrypted server‑side; clients hold a lightweight reference. Smooth refresh.
  • Stateless sessions: tokens ride inside JWT; simple but no silent refresh of upstream tokens.