You can connect to a MongoDB Enterprise deployment or MongoDB Atlas cluster using OpenID Connect (OIDC) authentication with the MongoDB MCP server.
To learn more, see Authentication and Authorization with OIDC/OAuth 2.0.
Configuration Options
To connect to a MongoDB deployment with OIDC, configure the following options in your MCP server configuration:
CLI Option Name | OS Environment Variable Name | Type | Necessity | Description |
|---|---|---|---|---|
|
| string | Required | Set to |
|
| array of strings | Optional | Specifies OIDC flows in a comma-separated list.
The OIDC flows specify how the MongoDB MCP server
interacts with the identity provider for the authentication process.
The MongoDB MCP server supports the following OIDC flows:
|
|
| string | Optional | Specifies a URI where the identity provider redirects you after authentication.
The URI must match the configuration of the identity provider.
Default: |
|
| string | Optional | Specifies the browser the MongoDB MCP server redirects you to when
|
|
| boolean | Optional | Specifies whether the MongoDB MCP server uses the ID token received from the identity provider instead of the access token. Use this option with identity providers that you can't configure to provide JWT access tokens. |
|
| string | Optional | Specifies a connection to a trusted endpoint that is not Atlas or localhost to ensure that access tokens are sent to trusted servers. Only use this option when connecting to servers that you trust. |
OIDC Flows
The MongoDB MCP server supports two OIDC flows:
Authorization Code Flow (default)
Device Authorization Grant Flow (when browser-based authentication isn't available)
Note
When you configure the MongoDB MCP Server to accept remote connections, it uses Device Authorization Grant Flow.
The Authorization Code Flow is the default OIDC mechanism. In this flow, the user authenticates with the identity provider (IdP) in a browser and the MCP server exchanges the authorization code for tokens.
If you start the server with a MongoDB connection string, the server completes browser-based authentication on startup.
If you use the MCP server's
connecttool, authentication runs interactively. While authentication is in progress, operations that require a database connection are unavailable. If sign-in does not complete promptly, the attempt times out and you can try again. You can view your MCP server logs for details.
In environments where a browser is not available, the MCP Server uses
the Device Authorization Grant Flow. Device
authorization is available when the MCP Server runs with HTTP transport.
For instructions on running the MCP Server with
HTTP transport (--transport http), see MongoDB MCP Server Configuration.
To initiate device authorization:
While authentication is in progress, operations that require a database connection are unavailable. If sign-in does not complete promptly, the attempt times out and you can try again. Refer to your MCP server logs for details.