Home / Kong Plugin Hub
Edit
Report

AI MCP OAuth2

AI License Required Tech Preview
Overview Examples Configuration reference Changelog
Related Documentation
Gateway Documentation
Made by
Kong Inc.
Supported Gateway Topologies
hybrid db-less traditional
Supported Konnect Deployments
hybrid cloud-gateways serverless
Compatible Protocols
grpc grpcs http https
Minimum Version
Kong Gateway - 3.12
Tags
#ai #mcp
Related Resources
OAuth 2.0 specification for MCP
MCP Traffic Gateway

3.13.0.0

Release date 2025/12/18

Bugfix

  • Fixed an issue where MCP-like request was not authenticated.

  • Fixed an issue where the oidc schema was polluted during merging.

  • Fixed an issue where resource without path was not correctly handled.

  • Fixed an issue where there was an unexpected required: false in the plugin schema.

  • Fixed an issue where x-forwarded-* headers were not respected.

3.12.0.2

Release date 2025/12/10

Bugfix

  • Fixed an issue where MCP-like request was not authenticated. Previously, we only authenticated requests that satisfied the MCP spec. As a result, the attacker can bypass this via an MCP-like request. Therefore, now we change to authenticate all the requests.

  • Fixed an issue where the oidc schema was polluted during merging.

  • Fixed an issue where resource without path was not correctly handled.

  • Fixed an issue where x-forwarded-* headers were not respected.

3.12.0.0

Release date 2025/10/01

Feature

  • Introduced the AI MCP OAuth2 plugin, which protects the MCP traffic with OAuth2.

  • Dropped the enabled field, as we already have one in plugin table.

Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support