Skip to main content
Early access. This feature is in early access, which means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the C1 Support team if you’d like to try it out or share feedback.
With enterprise-managed authorization, you authenticate once to C1, and from then on your AI agent can reach the MCP servers you’ve been granted access to — no per-tool login, and no long-lived API keys. Your agent signs you in to C1, exchanges your identity for a short-lived token scoped to the server you want, and calls that server directly. What this looks like in your client depends on which one you use: in Claude it shows up as “enterprise-managed auth” through connectors, and in VS Code as “enterprise-managed MCP authentication.” Either way, it connects to the same enterprise-managed authorization your C1 admin set up.

How setup is divided

Connecting your MCP client to C1 involves three people — you don’t need an admin role for your part:
  • Your C1 admin enables enterprise-managed authorization, registers the MCP servers, and grants you access.
  • The owner of each MCP server configures it to trust C1 as a token issuer. See Support enterprise-managed authorization in your MCP server.
  • You connect your client to C1 and add each server, which is what this guide covers.
If your agent runs as its own identity, a service principal, rather than as you, the connection is set up against that identity instead. See Service principals.
Enterprise-managed authorization in Claude Code is gated by the CLAUDE_CODE_ENABLE_XAA=1 environment variable and is experimental today. A future Claude Code release may simplify this, but the setup flow described here is not expected to change materially.

Before you begin

Collect the following from the people who own each piece. Without all of it, the token request fails. The last item is the most commonly overlooked: if you haven’t been granted access in C1, the exchange is denied even when everything else is correct.
What to collectWho provides it
Your C1 issuer URLYour C1 admin
The agent client’s ID and secret at C1 (your agent’s identity at C1, used to sign you in)Your C1 admin
For each MCP server: its URL, plus a client ID and secret at that server’s authorization server (a different credential)The server owner
Confirmation that the server already trusts C1 as a token issuerThe server owner
Confirmation that your access is already granted, meaning you requested the scope or access profile in C1You

Set up your client

Select your client for setup instructions.
1
Turn on the feature. Set CLAUDE_CODE_ENABLE_XAA=1 in your shell profile so it persists. The gate is checked both when you run the commands below and when your agent connects to a server.
export CLAUDE_CODE_ENABLE_XAA=1
2
Connect to C1 once. This configures the one C1 connection that every server reuses. Put the agent client’s secret in the environment variable that --client-secret reads, then run setup.
export MCP_XAA_IDP_CLIENT_SECRET='<your IdP client secret>'
claude mcp xaa setup --issuer <your C1 URL> --client-id <your IdP client ID> --client-secret
The --client-secret flag takes no inline value. It reads the secret from MCP_XAA_IDP_CLIENT_SECRET. Add --callback-port <port> only if your C1 connection doesn’t allow any loopback port for the browser sign-in.
3
Sign in to C1. This opens C1 in your browser and caches the session.
claude mcp xaa login
If you can’t use a browser, pass a C1-issued ID token directly instead: claude mcp xaa login --id-token <C1 id_token>.
4
Add an MCP server. Give Claude Code the server’s URL and the client credentials for that server’s authorization server. These are different from the C1 credentials in step 2. Repeat this step for each server you want to use.
claude mcp add --xaa --transport <http|sse> <name> <url> --client-id <client ID at the server's AS> --client-secret
Set --transport to http or sse to match the server; only HTTP and SSE servers are supported. The --client-secret flag takes no inline value — it prompts you for the secret, or reads it from MCP_CLIENT_SECRET. This is a different environment variable than the one in step 2.
5
Use the server in Claude Code. Your agent obtains a token in the background when it calls the server. There’s nothing more to run.

Manage your connection

Use these commands to check or reset your C1 connection:
  • claude mcp xaa show checks your current connection.
  • claude mcp xaa login --force signs you in to C1 again, for example after your access was reset.
  • claude mcp xaa clear clears the connection so you can start over.

When something doesn’t work

Find the error you’re seeing below for the cause and who to ask.
What you seeWhat it means and who to ask
XAA is not enabled (set CLAUDE_CODE_ENABLE_XAA=1)The gate is off. Set CLAUDE_CODE_ENABLE_XAA=1 in your shell profile and restart your shell.
XAA: no IdP connection configuredYou haven’t connected to C1 yet. Run claude mcp xaa setup, then claude mcp xaa login.
XAA: server '<name>' needs an AS client_id or a missing AS client secretThe server is missing its client ID or secret. Re-run claude mcp add --xaa for that server.
Resource server does not implement OAuth 2.0 Protected Resource Metadata, PRM discovery failed, or no authorization server supports jwt-bearerThe server doesn’t publish the metadata C1 needs, or doesn’t support the JWT bearer grant. Ask the server owner to finish setup. See Support enterprise-managed authorization in your MCP server.
The token request is denied because you don’t have the scopeYour access hasn’t been granted. Ask your C1 admin to grant you the scope or access profile.
The server rejects the token even though sign-in workedThe token’s signature may use an algorithm the server doesn’t verify. Ask your C1 admin to check the signing algorithm set for that server.