Skip to main content
Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the C1 Support team if you’d like to try it out or share feedback.
Register an MCP server to tell C1 which server to issue tokens for and how those tokens are addressed. This is step 2 of the enterprise-managed authorization setup. If you haven’t enabled enterprise-managed authorization for your tenant yet, start with Enable enterprise-managed authorization.

What’s a resource server?

In the protocol, the MCP server you register is the resource server — the system C1 issues tokens for. You register one per server, keyed to that server’s authorization server. The token C1 mints is addressed to that authorization server, which verifies C1’s signature and exchanges the token for an access token the agent uses to call the server.

Before you begin

Register an MCP server

The MCP server is registered on the C1 application that represents it. The Cross-App Access tab only appears once enterprise-managed authorization is enabled for your tenant.
1
Go to Apps, open the application, and open its Cross-App Access tab.
2
Click Register resource server.This opens the Register resource server drawer. There is no per-application enable toggle — enablement is the tenant-level setting on the Enable enterprise-managed authorization page.
3
Enter a Display name (required), and optionally a Description.
4
Set the Audience (required).The audience is the issuer URL of the MCP server’s authorization server. It is fixed once the resource server is created, so set it correctly the first time. The audience must not be your own C1 tenant URL. C1 is the token issuer, not the audience.
5
Add the Resource URIs.These are the MCP server URLs the agent will call. Type each URI and press Enter to add it. A token request that names a target outside the configured resource URIs is denied.
6
Optional. Set a Maximum grant lifetime and a Signing algorithm.Maximum grant lifetime is a duration picker — leave it on Indefinite to inherit the tenant default (which resolves to 300 seconds / 5 minutes if the tenant hasn’t set one). Indefinite means “inherit the tenant default,” not “tokens never expire.” Signing algorithm defaults to Inherit (default) (your tenant’s default); the other options are EdDSA, RS256, and ES256. Change it only if this server’s authorization server verifies a different algorithm. The algorithm you pick must be maintained at the tenant (have a signing key), or every token request for this server is denied.
7
Click Register.The new resource server appears in the table on the Cross-App Access tab. Click its name to open its detail page, where you manage Scopes and Access profiles.
The drawer also exposes two advanced switches: Require proof of possession, and Disabled (kill switch) (see Pause an MCP server).

Modify-claims hook (not yet available)

The resource server drawer shows a Modify-claims hook field, intended for attaching a Function that would run when C1 mints a token for this server. This capability is not yet functional — the field is reserved for a future release.
Don’t configure a modify-claims hook. It is not implemented yet, and setting one causes C1 to deny every token request for this server. Leave the field unset.

Pause an MCP server

To pause a server, disable its resource server. In the UI this is the Disable action — use the menu on the resource server’s row (or on its detail page), or toggle Disabled (kill switch) in the resource server drawer. Re-enabling is the Enable action in the same menu. Disabling a resource server is a per-server off switch. It denies new token requests for that server without deleting its configuration. The audience, resource URIs, signing algorithm, and scope setup are kept, so re-enabling restores the server as it was. Disabling a server does not stop a token that has already been minted. An issued token keeps working until it expires, which is a few minutes by default. It affects the next token request, not tokens already in use.

Troubleshoot resource server errors

If a token request is denied, or a server rejects a token C1 issued, find your issue below.
The token’s audience does not match a registered resource server. Confirm the resource server’s audience is the issuer URL of the MCP server’s authorization server, and that it matches what the agent’s client is asking for. The audience is fixed after creation, so a mismatch means re-registering the server with the correct audience.
The token request names a target that isn’t in the resource server’s configured resource URLs, so C1 denies it. Add the URL the agent is calling to the resource URLs for this server.
C1 minted the token, but the server’s authorization server rejected its signature. The server verifies a different algorithm than the one this resource server is signing with. Set this server’s signing algorithm to one its authorization server verifies. ES256 is the broadest choice.

Where to go from here