Is your feature request related to a problem?
For organizations that want to deploy dbt-mcp as a remote MCP endpoint, inbound authentication is currently tied to dbt credentials and/or per-user dbt Cloud access patterns. This creates friction for enterprise deployments that already standardize access through a central IdP and service identities.
A common use case is exposing metadata and Semantic Layer capabilities through a managed MCP gateway without requiring every consumer to have an individual dbt Cloud user account.
Describe the solution you'd like
Add optional, first-class OIDC authentication for inbound requests to the dbt-mcp server when running over HTTP transports (for example, streamable-http and sse).
Key points:
- Keep this separate from existing dbt Cloud authentication/token flows used by dbt APIs.
- Allow configuring OIDC resource-server behavior via dedicated env vars (issuer, resource URL/audience, introspection or JWKS settings, required scopes).
- Validate bearer tokens against the configured OIDC provider and enforce required scopes.
- Document a recommended deployment pattern for remote MCP (for example, Keycloak/Okta/Entra ID).
This would make it much easier for organizations to deploy remote MCP behind enterprise identity controls while still enabling metadata + Semantic Layer workflows.
Describe alternatives you've considered
- Requiring each end user to provide dbt Cloud PATs/tokens directly.
- Implementing auth only at a reverse proxy layer.
Both can work, but neither provides a clear, built-in, MCP-server-level auth pattern that maps cleanly to enterprise OIDC standards.
Additional context
Related context:
I’m willing to open a PR for this feature if the maintainers are aligned on approach.
Is your feature request related to a problem?
For organizations that want to deploy
dbt-mcpas a remote MCP endpoint, inbound authentication is currently tied to dbt credentials and/or per-user dbt Cloud access patterns. This creates friction for enterprise deployments that already standardize access through a central IdP and service identities.A common use case is exposing metadata and Semantic Layer capabilities through a managed MCP gateway without requiring every consumer to have an individual dbt Cloud user account.
Describe the solution you'd like
Add optional, first-class OIDC authentication for inbound requests to the
dbt-mcpserver when running over HTTP transports (for example,streamable-httpandsse).Key points:
This would make it much easier for organizations to deploy remote MCP behind enterprise identity controls while still enabling metadata + Semantic Layer workflows.
Describe alternatives you've considered
Both can work, but neither provides a clear, built-in, MCP-server-level auth pattern that maps cleanly to enterprise OIDC standards.
Additional context
Related context:
I’m willing to open a PR for this feature if the maintainers are aligned on approach.