MCP Organization Scopes in PropelAuth

As MCP (Model Context Protocol) becomes the standard way users connect AI assistants like Claude and ChatGPT to SaaS products, one question is becoming impossible to ignore: how do you control what those AI agents are actually allowed to do on your MCP server?

PropelAuth has added two significant upgrades to its MCP Authentication support: organization-level scopes and optional scope opt-out on the consent screen. Together, they give both developers and their users precise control over AI agent permissions, at both the individual and organizational level.

What Are MCP Scopes?

When a user connects an AI client to your MCP server, they go through an OAuth 2.1 flow. During that flow, the client requests a set of MCP scopes - a list of permissions defining what it can do on behalf of the user.

Scopes answer questions like:

Can this AI agent read my user profile?
Can it write to my organization's configuration?
Can it access sensitive financial records?

Until now, PropelAuth MCP scopes were defined at the user level - suitable for personal data, but insufficient when the resources belong to an entire organization.

MCP Organization Scopes: What They Are and Why They Matter

MCP organization scopes (org scopes) let you define permissions that govern shared, organization-level resources: billing records, team configurations, audit logs, or any sensitive data that shouldn't be accessible just because a single team member happens to be authenticating.

Role-Based Access Control for MCP

The key feature of org scopes is their integration with PropelAuth's role system. When you create an org scope, you assign it to specific roles: Owner, Admin, Member, etc. Only users in the appropriate role can consent to granting that scope to an AI client.

For example:

Scope	Allowed Roles
`read:sensitive_data`	Owner, Admin
`write:org_config`	Owner only
`view:team_members`	All roles

When a user authenticates, scopes outside their role's reach are grayed out on the consent screen. They simply cannot grant permissions they don't have authority over.

This enforces a rule that's critical for B2B SaaS security:

"Only Admins can consent to an LLM having the read_sensitive_data scope for their organization."

Without org scopes, there's no clean way to enforce this. One employee connecting their personal Claude Desktop could inadvertently grant broad access to company-wide data. Org scopes close that gap.

The second addition is optional scope opt-out. Previously, MCP authentication was all-or-nothing: a user either accepted the full list of requested scopes or didn't connect at all.

Now, users can deselect individual scopes on the consent screen. They can connect their AI client with a reduced permission set (only granting what they're comfortable with) and expand access later if needed.

This matters for user trust. Giving users agency over their permissions encourages broader adoption of MCP integrations, particularly among security-conscious teams who might otherwise block the connection entirely.

MCP User Scopes vs. Org Scopes: How to Choose

PropelAuth supports two types of MCP scopes, and understanding the distinction is key to modeling permissions correctly.

Scenario	Use
AI client reads/writes personal user data only	User scopes
AI client interacts with shared org resources	Org scopes (with role restrictions)
AI client does both	Both, scoped appropriately

User scopes grant access to personal profile data and private resources isolated from the broader organization. Org scopes govern shared resources and permissions at the org level.

If you're building a B2B product where every meaningful action is org-specific, you'll lean heavily on org scopes. Consumer-facing products may only need user scopes.

How MCP Organization Scopes Work End-to-End

Here's the complete flow for MCP authentication with org scopes configured:

Define your scopes in the PropelAuth dashboard under MCP → Scopes. Create org scopes and assign each to the appropriate roles.
Include the desired scopes in the OAuth authorize URL when your MCP server initiates the authentication flow.
The user sees the consent screen. Org scopes they lack the role to grant are grayed out. Optional scopes can be deselected.
Validate the access token via PropelAuth's Introspection API. The response includes granted scopes, org ID, org role, and org-level permissions:

{
  "active": true,
  "scope": "read:user_data write:org_config",
  "sub": "{USER_ID}",
  "org_id": "{ORG_ID}",
  "users_org_roles": ["Admin"],
  "users_org_permissions": ["can_edit_resource"]
}

Enforce scopes in your MCP tools. Before executing any action, verify the token includes the required scope.

How to Configure MCP Org Scopes in PropelAuth

Setting up org scopes takes only a few minutes:

Navigate to the MCP → Scopes section of the PropelAuth Dashboard.
Select the Org Scopes tab.
Create a new scope and assign it a name (e.g., read:sensitive_data).
Select which roles can consent to this scope.
Save. The consent screen will automatically enforce role restrictions.

Optional scope opt-out on the consent screen is enabled automatically with no additional configuration required.

Full documentation available here.

Why MCP Authentication Security Is a Growing Priority

MCP adoption is accelerating. Claude Desktop, ChatGPT connectors, Cursor, and Windsurf all support it, and more AI clients are adding MCP authentication regularly. As these integrations move from developer experiments into production B2B workflows, the security model around them has to keep pace.

The pattern of "connect an AI agent, grant it broad permissions, hope nothing goes wrong" isn't viable at scale. For B2B SaaS products especially, where a single misconfigured connection can expose data across an entire organization, MCP authentication needs to be as rigorous as any other access control layer. Organization scopes and granular consent get you there, so your users can confidently hand the keys to an AI agent, knowing exactly which doors it can open.