Skip to content
Releases GitHub

Changelog — Credential Provider New features

Subscribe with RSS

Credential Provider
New Feature
Clear all

Refresh token support for MCP authorization flows

OIDC ID Token and Aembit Access Token Credential Providers now support refresh tokens for MCP Authorization Server flows. This feature applies exclusively to MCP Authorization Server use cases.

What’s new:

  • An Enable Refresh Token Support option on OIDC ID Token and Aembit Access Token Credential Providers.
  • An Absolute Token Lifetime setting that controls how long refresh tokens remain valid for exchanging for new access tokens after initial issuance.
  • Refresh tokens are single-use. Each exchange returns a new refresh token.

When enabled, the MCP Authorization Server returns refresh tokens alongside access tokens during OAuth token requests. MCP clients can exchange a refresh token for a new access token and a new refresh token, maintaining an active session without completing a new authorization flow. Other credential flows, such as Agent Proxy, are not affected by this setting.

To use this feature, edit your Credential Provider, toggle Enable Refresh Token Support to on, and set the Absolute Token Lifetime.

For details, see Token refresh, OIDC ID Token, and Aembit Access Token.

Tags:

OAuth 2.0 Authorization Code Credential Provider now available

Aembit now supports 3-legged OAuth (3LO) workflows through the new OAuth 2.0 Authorization Code Credential Provider. Applications can request a user’s permission to access their account data and act on the user’s behalf.

With 3LO support, an application can access services or applications that the user has authorized.

Aembit supports the following third-party services with OAuth 2.0 Authorization Code Credential Providers:

For configuration details, see the OAuth 2.0 Authorization Code Credential documentation.

An expansion to Client Workload identification and Trust Provider match rules also shipped in this release; see Expanded Client Workload identification and Trust Provider match rules.

Tags:

OAuth 2.0 Authorization Code Credential Provider enters beta

Aembit has released beta support for the OAuth 2.0 Authorization Code Credential Provider.

Many organizations require Credential Provider support for various 3rd party SaaS services which only support short lived credentials with the OAuth 2.0 Authorization Code Flow. These services included:

  • Atlassian
  • GitLab
  • Slack
  • GCP BigQuery
  • Apigee
  • PagerDuty

This beta release enables users to use 3rd party SaaS services and have short-lived access tokens generated on demand for authentication to APIs that these 3rd party services provide.

For more information on how to configure the OAuth 2.0 Authorization Code Credential Provider to be used with any of these 3rd party services, please see the OAUth 2.0 Authorization Code Credential Provider page.

Tags:

Dynamic Claims now available for Credential Providers

Aembit has released a new feature for Credential Providers called “Dynamic Claims.” This feature allows you to set the Subject claim and Custom claims with either literal strings or dynamic values when setting up Credential Providers in your Aembit client tenant.

For more detailed information about Dynamic Claims, please refer to Dynamic Claims page

This feature is currently only supported for Vault integration.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit