Skip to main content

Try It Out

Each walkthrough below runs the Securing MCP pattern against the Wayfinder sample. The Wayfinder Server hosts an MCP server on /mcp alongside its REST API; an external MCP client signs in through ThunderID and calls Wayfinder's tools, with ThunderID enforcing who can invoke which tool.

Meet Wayfinder

Wayfinder is the same travel-booking application from the Securing AI Agents tryout, where the in-product Wayfinder Concierge acts as an MCP client from inside the app. This tryout covers the other side: an external MCP client connecting to the same Wayfinder MCP server through its own OAuth application in ThunderID. The application is pre-registered in the bundle; in production, clients that support Dynamic Client Registration can self-register at runtime instead.

WayfinderTravel-Booking with an embedded MCP serverAI AgentBuilt into the Wayfinder appWayfinder ConciergeCalls MCP tools through chatExternal MCP ClientConnects from outside the appMCP InspectorCalls MCP tools directly

Meet the Cast

  • John Doe signs in to the external MCP client and picks which booking:* permissions to grant at consent. He carries the Booking User role with read, create, and cancel permissions.
  • MCP Inspector is the reference debug UI for MCP servers — browser-based, speaks the protocol, supports OAuth-protected servers out of the box.

Sample Architecture

This tryout extends the AI Agents architecture with one new piece:

  • External MCP Client: an OAuth client (MCP Inspector) that signs in through ThunderID and calls the Wayfinder MCP server's tools.

The Wayfinder Server validates the issued access token on every MCP call and enforces the per-tool scope before invoking the tool handler.

UserJohn DoeUseExternal MCP ClientMCP InspectorDiscovers, signs in, calls MCP toolsThunderIDIdentity AuthorityManages identitiesand issues tokensWayfinder ServerBooking API + MCP toolsHolds flights, hotels, bookingsSign inIssue tokensCall MCP toolsValidate tokens

Set Up Your Environment

Complete the AI Agents Set Up Your Environment first. The same bundle also seeds the EXTERNAL-MCP-CLIENT application used here.

1

Verify the New Application

In the ThunderID Console at https://localhost:8090/console, open Applications and confirm EXTERNAL-MCP-CLIENT is listed.

2

Install MCP Inspector

Launch MCP Inspector locally:

npx @modelcontextprotocol/inspector
3

Allow Inspector in CORS

Add Inspector's origin to ThunderID's CORS allow-list in repository/conf/deployment.yaml, then restart ThunderID:

cors:
  allowed_origins:
    # ...existing entries...
    - "http://localhost:6274"

Walkthroughs

Pick a walkthrough to begin. Each one starts from the setup above.

MCP AuthorizationAuthorize an external MCP client, list Wayfinder's tools, call a few, and watch scope enforcement deny delete_all_bookings.Go to MCP Authorization

Going Deeper

  • Curious how the MCP-specific application and consent step map to ThunderID concepts? See Identity Concepts.
  • Prefer to register the application manually? See Configure It Yourself.
  • Want to compare server-side and client-side patterns before going to production? See Solution Patterns.
ThunderID LogoThunderID Logo

Product

DocsAPIsSDKs

Community

ContributingDiscussionsReport an Issue

Resources

ReleasesGitHubBrand Guidelines
© WSO2 LLC. All rights reserved.Privacy PolicyCookie Policy