Try It Out
Each walkthrough below runs the Securing MCP pattern against the Wayfinder sample. The Wayfinder Server hosts an MCP server on /mcp alongside its REST API; an external MCP client signs in through ThunderID and calls Wayfinder's tools. The server enforces the scopes in the access token before invoking protected tool handlers.
Meet Wayfinder
Wayfinder is the same travel-booking application from the Securing AI Agents tryout, where the in-product Wayfinder Concierge acts as an MCP client from inside the app. This tryout covers the other side: an external MCP client connecting to the same Wayfinder MCP server through its own OAuth application in ThunderID. The application is pre-registered in the bundle; in production, clients that support Dynamic Client Registration can self-register at runtime instead.
Meet the Cast
- John Doe signs in to the external MCP client and picks which
wayfinder:booking:*permissions to grant at consent. He carries theBooking Userrole with read, create, and cancel permissions. - MCP Inspector is the reference debug UI for MCP servers — browser-based, speaks the protocol, supports OAuth-protected servers out of the box.
Sample Architecture
This tryout extends the AI Agents architecture with one new piece:
- External MCP Client: an OAuth client (MCP Inspector) that signs in through ThunderID and calls the Wayfinder MCP server's tools.
The Wayfinder Server validates the issued access token on every MCP call. The server enforces the per-tool scope before invoking protected tool handlers.
Set Up Your Environment
Complete the AI Agents Set Up Your Environment first. The same bundle also seeds the EXTERNAL-MCP-CLIENT application used here.
Verify the New Application
In the ThunderID Console at https://localhost:8090/console, open Applications and confirm EXTERNAL-MCP-CLIENT is listed.
Install MCP Inspector
Launch MCP Inspector locally:
npx @modelcontextprotocol/inspector
Allow Inspector in CORS
Add Inspector's origin to the server-config cors section. Create or update config/resources/server_configs/cors.yaml, or use PUT /server-config/cors after startup:
name: cors
value:
allowedOrigins:
# ...existing entries...
- "http://localhost:6274"
Walkthroughs
Pick a walkthrough to begin. Each one starts from the setup above.
Going Deeper
- Curious how the MCP-specific application and consent step map to ThunderID concepts? See Identity Concepts.
- Prefer to register the application manually? See Configure It Yourself.
- Want to compare server-side and client-side patterns before going to production? See Solution Patterns.