For AI Agents & MCP Servers

Auth for the
agentic web.

Issue JWTs to agents. Verify locally on MCP servers. Enforce scopes and subscription plans — all without per-request calls to the auth server.

RS256 signing · JWKS verification · Scope & plan enforcement

Read the docs Get started free

100 MAU freeNo credit cardStandard OAuth 2.0

Agent gets a token

client_credentials grant → signed JWT

Agent calls MCP server

Bearer token — self-contained proof

Verify locally via JWKS

Zero network round-trips to auth server

Minimal integration

A few lines on each side. That's it.

Get a token → call the MCP server → verify locally. Standard OAuth 2.0 — any JWT library works.

Agent (get token)client_credentials

const res = await fetch(
  "https://auth.astapa.com/api/platform/token",
  {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify({
      grant_type: "client_credentials",
      client_id: "proj_xxx",
      client_secret: "secret_xxx",
    }),
  }
);

const { access_token } = await res.json();

MCP Server (verify + authorize)RS256 + JWKS

import { createMcpAuth } from "@/lib/mcp-auth";

const auth = createMcpAuth({
  jwksUrl: "https://auth.astapa.com" +
    "/.well-known/jwks.json",
  issuer: "auth.astapa.com",
  audience: "my-mcp-server",
});

const result = await auth.verifyAndAuthorize(
  token,
  {
    requiredScopes: ["tool:read"],
    allowedPlans: ["pro", "enterprise"],
  }
);

Built for production

Security primitives. No shortcuts.

Everything you need to authenticate and authorize AI agents on MCP servers. Standard protocols, zero proprietary lock-in.

RS256 asymmetric signing

Private key stays on Astapa. MCP servers only need the public key via JWKS.

JWKS caching with TTL

Keys cached in-memory. Refetch only on cache miss or key rotation. No per-request calls.

Scope-based access control

tool:read, tool:write, tool:admin — enforce granular permissions per tool call.

Plan-based feature gating

Free, Pro, Enterprise — restrict tools by subscription tier automatically.

Zero-trust verification

Every claim is verified against the cryptographic signature. No trust without proof.

Stateless by design

No sessions. No database lookups on the MCP server. JWT is self-contained.

What's in the token

Every M2M JWT includes these claims out of the box. Scopes and plan are derived from your project configuration.

JWT PayloadRS256

{
  "iss": "auth.astapa.com",
  "sub": "proj_abc123",
  "org_id": "builder_uuid",
  "aud": "my-mcp-server",
  "exp": 1742540400,
  "scopes": ["tool:read", "tool:write"],
  "plan": "pro",
  "environment": "production"
}

RS256 · JWKS · OAuth 2.0

Ready to secure your MCP tools?

Create a project, get your credentials, and start issuing tokens in minutes.

100 MAU free · No credit card · Standard OAuth 2.0

Auth for theagentic web.