Create an OAuth inbound integration for an MCP client

  • Release version: Australia
  • Updated November 12, 2025
  • 1 minute to read
  • Secure access to Model Context Protocol (MCP) servers on an instance by creating an OAuth inbound integration for each MCP client.

    Before you begin

    Role required: oauth_admin, mi_admin, admin

    About this task

    For each client that you want to access servers on an instance, create an OAuth inbound integration in Machine Identity Console. To create the OAuth integration, you need a redirect URL from the client. For more information, refer to the documentation for your AI application and client.

    Procedure

    1. Navigate to All > MCP Server Console.
    2. From the Configuration tab, select Servers.
    3. From the OAuth setup required banner, select Set up OAuth.
      Alternatively, you can navigate to All > Machine Identity Console and select the Inbound integrations tab.
      Note:
      In the list of existing inbound integrations, you might see integrations created with the same names as servers (including underscores). These are integrations for monitoring servers from AI Control Tower and shouldn't be used to integrate with clients.
    4. Select New integration.
    5. Select OAuth - Authorization code grant.
    6. On the form, fill in the required fields.
      For more information about this form, see Configure an OAuth authorization code grant.
      Table 1. Inbound integration form
      Field Value
      Details section
      Name Enter a name for the OAuth integration.
      Redirect URLs Enter the redirect URL for a client. The authorization code is sent to this URL after authentication. To get the redirect URL, refer to the documentation for your AI application and client.

      To connect to the ServiceNow MCP client on another instance, use the following redirect URL: https://<client-instance>.service-now.com/oauth_redirect.do. For more information, see the Model Context Protocol Client documentation.

      Auth scope section
      Allow access only to APIs in selected scope Clear the check box to make the OAuth integration broadly scoped.
      Advanced options section
      Token Format Select JWT.
    7. Select Save.
      The OAuth inbound integration is created as broadly scoped with a client ID and client secret that you use when configuring the client to connect to servers on the instance.

      An OAuth inbound integration for Claude to connect to MCP servers as an MCP client.

    What to do next

    Configure the client to use the client ID and client secret to authenticate with servers on the instance.