Connecting using external MCP clients

Connect to the MCP Server from external MCP clients such as Claude Desktop or Copilot Studio using OAuth 2.0/OIDC or Bearer token authentication.

Before you begin

To connect to MCP Servers using OAuth, your server must be deployed using dual authentication mode. Follow the post deployment instructions for your platform:

Content Cortex Standalone deployment: See OAuth Configuration for Content Cortex Standalone documentation
CP4BA deployment: See OAuth Client Registration for CP4BA documentation

About this task

External MCP clients can connect to the Content Cortex MCP Server using OAuth 2.0/OIDC for automatic token management or Bearer tokens for direct authentication.

Procedure

Get connection information from your administrator.
You will need:
- MCP server URL (for example, https://your-mcp-server/mcp)
- Authentication mode: OAuth or Bearer token only
Note: If using OAuth, you only need the MCP server URL. The OAuth configuration is automatically discovered by your client.
Choose your connection method.
- Option A: OAuth 2.0/OIDC - Server must be configured in dual mode. Your MCP client must support OAuth 2.0/OIDC. The client automatically discovers OAuth endpoints, handles authorization flow, and manages token refresh.
- Option B: Bearer token - Available in all modes. Best for quick testing and automated scripts. Contact your administrator for instructions on obtaining a JWT token.
Review platform-specific MCP client configuration requirements.
MCP client configuration requirements vary by platform:
- Watson Orchestrate (WXO): Requires a custom object store header and explicit login after configuration.
- Microsoft Copilot Studio: Requires a custom object store header and explicit credential selection.
- Claude Desktop: Does not support custom object store selection.
For detailed platform-specific requirements and step-by-step configuration instructions, see MCP client configuration requirements .

Configure your MCP client based on your chosen authentication method.

Authentication Method Configuration

OAuth (Dual Mode)

Authentication Method	Configuration
OAuth (Dual Mode)	Most MCP clients support OAuth through standard configuration: Server URL: `https://your-mcp-server/mcp` Authentication type: OAuth 2.0 / OIDC The client automatically discovers OAuth endpoints through `.well-known/openid-configuration`, handles the authorization flow, and manages token refresh.
Bearer Token (All Modes)	For clients that support custom headers, use the following JSON configuration: `{ "mcpServers": { "ccx-mcp-server": { "type": "streamable-http", "url": "https://your-server[:port if necessary]/mcp", "headers": { "Authorization": "Bearer <bearer token>", "CS-Object-Store": "OS1" }, "disabled": false, "alwaysAllow": [ ] } } }` Replace `<bearer token>` with your actual JWT token and `OS1` with your CCx object store name.

Most MCP clients support OAuth through standard configuration:

Server URL: https://your-mcp-server/mcp
Authentication type: OAuth 2.0 / OIDC

The client automatically discovers OAuth endpoints through .well-known/openid-configuration, handles the authorization flow, and manages token refresh.

Bearer Token (All Modes)

For clients that support custom headers, use the following JSON configuration:

{
    "mcpServers": {
        "ccx-mcp-server": {
            "type": "streamable-http",
            "url": "https://your-server[:port if necessary]/mcp",
            "headers": {
                "Authorization": "Bearer <bearer token>",
                "CS-Object-Store": "OS1"
            },
            "disabled": false,
            "alwaysAllow": [ ]
        }
    }
}

Replace <bearer token> with your actual JWT token and OS1 with your CCx object store name.

Save the configuration file and restart your MCP client to apply the changes.

Results

The external MCP client connects to the Content Cortex MCP Server and can access the available tools.