The Indexing API uses a separate authentication model with Glean-issued tokens and does not accept OAuth.
Overview
When to choose this approach
- You are connecting MCP host applications to Glean’s remote MCP server. This is the recommended authentication path for MCP and requires enabling the Glean OAuth Authorization Server.
- You want faster setup without coordinating with your IdP team for new integrations.
- You want Glean-defined, fine-grained scopes for future Client API integrations (note: full Client API support with UI is coming in a future release).
What Glean does and does not do
- Does: Act as OAuth 2.1 Authorization Server (issue access tokens); define and enforce scopes; validate tokens at the Resource Server.
- Does not: Replace or modify your SSO setup. User authentication continues via your existing SSO IdP (OIDC or SAML). Glean reuses your SSO, it doesn’t reinvent it.
Where it applies
- MCP Remote Servers: Fully supported and recommended. This is the primary use case for the Glean OAuth Authorization Server. Note that host OAuth support may vary by MCP client application.
- Client API: Technically supported for operations like search, chat, and agents, but full support requires additional UI components planned for future releases.
Setup and Configuration
Enabling the Glean OAuth Authorization Server
The Glean OAuth Authorization Server is disabled by default. To enable it, follow the steps below:1
Navigate to OAuth Settings
Go to the Admin Console and navigate to Settings → Third‑party access (OAuth).
2
Enable Glean OAuth Authorization Server
Using OAuth with MCP Remote Servers
Once enabled, MCP host applications can authenticate using the following flow:- The MCP host initiates the Authorization Code flow (opening a browser for IdP login and user consent)
- The host obtains tokens through the Glean OAuth server
- The host connects to Remote MCP endpoints using the OAuth token
- Bearer token fallback: If an MCP host does not support OAuth, a user-scoped bearer token can be used as a fallback (less preferred than OAuth)
Technical Reference
Supported flows and endpoints
- Authorization Code with Proof Key for Code Exchange (PKCE).
- Endpoints: Authorization, Token, Introspection, and OIDC Discovery. These support standard client registration and token acquisition patterns without exposing non-public base URLs.
Scopes and permissions
Glean-defined scopes govern API capabilities. Request the minimum scopes needed for your integration. Examples includeSEARCH, CHAT, AGENTS, MCP, DOCUMENTS, TOOLS, and ENTITIES.
For MCP remote servers, the relevant scopes (particularly MCP and related resource scopes) are automatically managed during the OAuth flow. The Indexing API uses a separate authentication model and does not accept OAuth.
Troubleshooting and cautions
- Ensure the Glean OAuth server is enabled; otherwise token acquisition or validation will fail.
- Redirect URIs must match exactly; the PKCE verifier must match the original challenge.
- Do not use OAuth for the Indexing API, which requires Glean-issued tokens.
- MCP host client authentication failures or unknown client errors: Clear the host’s stored MCP credentials and re-authenticate.