Skip to content
Releases GitHub

Changelog — MCP New features

Subscribe with RSS

MCP
New Feature
Clear all

Refresh token support for MCP authorization flows

OIDC ID Token and Aembit Access Token Credential Providers now support refresh tokens for MCP Authorization Server flows. This feature applies exclusively to MCP Authorization Server use cases.

What’s new:

  • An Enable Refresh Token Support option on OIDC ID Token and Aembit Access Token Credential Providers.
  • An Absolute Token Lifetime setting that controls how long refresh tokens remain valid for exchanging for new access tokens after initial issuance.
  • Refresh tokens are single-use. Each exchange returns a new refresh token.

When enabled, the MCP Authorization Server returns refresh tokens alongside access tokens during OAuth token requests. MCP clients can exchange a refresh token for a new access token and a new refresh token, maintaining an active session without completing a new authorization flow. Other credential flows, such as Agent Proxy, are not affected by this setting.

To use this feature, edit your Credential Provider, toggle Enable Refresh Token Support to on, and set the Absolute Token Lifetime.

For details, see Token refresh, OIDC ID Token, and Aembit Access Token.

Tags:

MCP Authorization Server now supports unauthenticated flows

Aembit’s MCP Authorization Server now supports OAuth flows that don’t require end-user authentication. This enables use cases like ChatGPT apps and other MCP integrations where user sign-in isn’t needed or desired.

What’s new:

  • An Enforce SSO option on Client Workloads with the Redirect URI identifier type. Enforce SSO is on by default, preserving the current behavior of requiring user authentication.
  • When Enforce SSO is on, a multi-select dropdown lets you choose which SSO identity providers appear on the MCP authentication page. By default, all configured identity providers are selected.
  • When Enforce SSO is off, the MCP Authorization Server issues access tokens without redirecting users to an identity provider. No Trust Provider is needed, but a Credential Provider is still required.
  • Access Policies still apply as an authorization control. You can turn off policies or entities to block token issuance.

To use this feature, edit your Client Workload, select the Redirect URI client identifier, and configure Enforce SSO under MCP Authorization Configuration.

For details, see Authentication support and MCP Authorization Server architecture.

Tags:

MCP Identity Gateway now supports MCP resources

Aembit has released MCP Identity Gateway version 1.29.4419.

Key Updates:

  • MCP resource support for the Identity Gateway

The MCP Identity Gateway now proxies MCP resource requests in addition to tool requests. MCP servers that expose resources (such as files, database schemas, or application data) are now accessible through the Gateway with the same identity-aware access policies, credential isolation, and audit logging that govern tool invocations.

What’s new:

  • resources/list discovers available resources across all assigned MCP servers. The Gateway fans out the request and aggregates results from all connected servers.
  • resources/read retrieves a specific resource by URI from the appropriate MCP server.

No action required. Resource support is available automatically after upgrading to MCP Identity Gateway 1.29.4419. Your existing access policies, Trust Providers, and Credential Providers apply to resource requests with no configuration changes.

For details, see MCP resource support.

Tags:
Copyright © 2026. All rights reserved.Privacy PolicyTerms of ServiceTrust CenterContact Aembit