Skip to main content
Glean can act as an OAuth 2.0 Authorization Server (issuing access tokens) and as the Resource Server (validating them), while delegating user authentication to your configured Single Sign-On (SSO) Identity Provider (IdP) using OpenID Connect (OIDC) or Security Assertion Markup Language (SAML). This enables Glean-defined scopes, simpler onboarding for REST integrations, and the recommended OAuth path for MCP.
Glean does not replace your SSO. When you enable the Glean OAuth Authorization Server, Glean only acts as the authorization server that issues OAuth access tokens. User authentication continues to happen through your existing SSO Identity Provider (Google Workspace, Microsoft Entra ID, Okta, etc.) using the same OIDC or SAML configuration you already have. Glean reuses your existing SSO for authentication and adds OAuth token issuance on top.
OAuth authentication is only supported for the Client API and MCP Remote Servers. Indexing API operations require Glean-issued tokens and do not accept OAuth.

When to choose this approach

  • You want Glean-defined, fine-grained scopes for Client API features (for example: SEARCH, CHAT, AGENTS).
  • You are connecting MCP host applications. The recommended MCP path requires enabling the Glean OAuth Authorization Server to streamline setup.
  • You want faster setup without coordinating with your IdP team.

What Glean does and does not do

  • Does: Act as OAuth 2.0 Authorization Server (issue access tokens); define and enforce scopes; validate tokens at the Resource Server.
  • Does not: Replace or modify your SSO setup. User authentication continues via your existing SSO IdP (OIDC or SAML). Glean reuses your SSO, it doesn’t reinvent it.

Where it applies

  • Client API (search, chat, agents, etc.): Supported with OAuth access tokens
  • MCP Remote Servers: Supported and recommended (host OAuth support may vary)

Admin enablement

In the Admin Console, go to Settings → Third‑party access (OAuth) and enable the Glean OAuth Authorization Server.

Supported flows and endpoints (high level)

  • Authorization Code with Proof Key for Code Exchange (PKCE).
  • Endpoints: Authorization, Token, Introspection, and OIDC Discovery. These support standard client registration and token acquisition patterns without exposing non-public base URLs.

Scopes and permissions

Glean-defined scopes govern API capabilities. Request the minimum scopes needed. Examples include SEARCH, CHAT, AGENTS, MCP, DOCUMENTS, TOOLS, and ENTITIES. Scopes apply to Client API operations. The Indexing API uses a separate authentication model and does not accept OAuth.

Using OAuth with MCP Remote Servers

  • Prerequisite: Enable the Glean OAuth Authorization Server in Admin.
  • Flow: The MCP host initiates the Authorization Code flow (opening a browser for IdP login and user consent), obtains tokens through the Glean OAuth server, then connects to Remote MCP endpoints.
  • Bearer token fallback: If an MCP host does not support OAuth, a user-scoped bearer token can be used as a fallback. This is less preferred than OAuth.

Troubleshooting and cautions

  • Ensure the Glean OAuth server is enabled; otherwise token acquisition or validation will fail.
  • Redirect URIs must match exactly; the PKCE verifier must match the original challenge.
  • OAuth applies to the Client API and MCP; do not use OAuth for the Indexing API.
  • MCP host client authentication failures or unknown client errors: Clear the host’s stored MCP credentials and re-authenticate.
I