This topic guides you through setting up OAuth 2.0 authentication for Model Context Protocol (MCP) inbound tools within Automation Anywhere.

Implementing OAuth provides a more secure and robust method for third-party AI assistants to interact with your Automation Anywhere automations, maintaining user identity and enforcing role-based access control (RBAC) without requiring users to manually enter credentials. Follow these steps to configure OAuth 2.0 support for MCP inbound tools. The process involves configuration in both the Control Room and your third-party AI assistant (e.g., Microsoft Copilot Studio).

Prerequisites

Before configuring OAuth 2.0 support, ensure the following requirements are met:

  • User License: The user configuring and accessing the MCP tools must have an Attended Bot Runner license assigned.
  • Device Connection: The Attended Bot Runner user must be connected to a registered local device in the Control Room. Verify that the bot configuration is correct and can run successfully from the Control Room.

Required permissions:

  • AI permissions:
    • View Agent Connections: To see inbound and outbound tools and connections.
    • Manage Agent Connections: To configure and manage inbound and outbound tools and connections.
  • API permission: Generate API Key.
  • Bot permissions:
    • View my bots and Run my bots.
    • Ensure that the required bots are assigned to the user's role through RBAC. For more information, see RBAC in Control Room.

Procedure

  1. Register Control Room with OAuth2 services: This step registers the Control Room as a trusted OAuth 2.0 authorization server so that it can issue and validate tokens for inbound MCP requests. Because MCP inbound authentication relies on the Control Room itself acting as the identity authority, this registration is required before you can create an OAuth client or connect a third-party AI assistant. The Control Room supports standard identity providers for this registration, including OIDC (OpenID Connect) and SAML-based authentication. If your organization has an existing IdP, you can configure the Control Room to use it during registration.
    1. In the Control Room, navigate to Settings.
    2. Register the OAuth2.0 configuration by logging in with your Control Room administrator credentials and generating a token to validate and register the OAuth 2.0 services. For more information, see Configure OAuth connections in Control Room.
      Confirmation: A confirmation message appears when the registration is complete.
  2. Create an OAuth Client.
    1. Navigate to Manage > OAuth client.
    2. Click Create client to create a new client.
    3. Enter a descriptive Application name, for example, MCP Inbound Client.
    4. Select the appropriate Application type, that matches your MCP client deployment: Regular web or .Single page application. For detailed information about application types and how to configure OAuth clients, see Configure OAuth clients.
    5. Optional: Enter a description.
      Note: You can leave the Redirect URI field empty when creating the OAuth client for MCP inbound. The Redirect URL is generated by the MCP client (third-party AI assistant) during tool configuration and must be added later in Step 5.
    6. Click Create client.
    Upon successful creation, the system will generate crucial details like Client ID, Secret ID, and other necessary information. Keep these details accessible as you will need them for the next steps.
  3. Add an MCP tool in your third-party AI assistant.
    1. Sign in to your third-party AI assistant, such as Microsoft Copilot Studio or ChatGPT.
    2. Navigate to the Tools section and select the option to add a Model Context Protocol (MCP) tool.
    3. Enter a server name (for example, Automation 360 MCP Server) and a Description for the tool.
    4. Enter the server URL. This is your Automation Anywhere Control Room URL followed by /mcp(e.g., https://your-control-room-url/mcp). For more information on setting up Copilot, see Connect your agent to an existing Model Context Protocol (MCP) server.
      Note: Only the Manual authentication method is supported for OAuth with MCP. When configuring the MCP tool in your third-party AI assistant, select Manual as the OAuth type.
      Configure MCP Inbound OAuth
  4. Configure OAuth 2.0 Authentication.
    1. From the OAuth client details you obtained in the Control Room (Step 2), copy the Client ID, Secret ID, Authorization URL, Token URL, and Refresh URL.
    2. Paste these copied details into the corresponding fields within your third-party AI assistant's MCP tool authentication configuration.
  5. Update Redirect URL in Control Room.
    1. After you complete the MCP tool creation in your third-party AI assistant, it will generate a Redirect URL.
    2. Copy this Redirect URL from your third-party AI assistant.
    3. Return to the Control Room's OAuth clients section and edit the client you created in Step 2.
    4. Paste the copied Redirect URL into the client's configuration.
    5. Save the changes.
    This completes the integration and establishes a secure connection between the Control Room and the third-party AI assistant.
  6. Establish User Connection in the Third-Party AI Assistant.: When you first use the integrated MCP tool within the third-party AI assistant, you are prompted to authenticate. Follow the OAuth flow to grant permission using your Automation Anywhere Control Room credentials.
    A successful connection is established.
  7. Access and Trigger Tools (automations/AI Agents/processes).
    1. Once the connection is established, the third-party AI assistant will list the available tools from the Automation Anywhere MCP server. These include standard static tools like DiscoverAutomation, RunAutomation, and GetAutomationResult, along with any custom inbound tools you have configured in the Control Room.
    2. Role-Based Access Control (RBAC): The visibility and execution capabilities of these tools are strictly governed by the user's RBAC permissions configured in the Control Room. For instance, a user will only discover or be able to run automations for which they possess View my bots and Run my bots privileges.
    You can now trigger automations conversationally via the third-party assistant, using natural language to initiate tasks.
MCP client behavior when authentication headers are missing or invalid
  • If authentication headers are missing or incorrect, the MCP client attempts OAuth authentication automatically.
  • If authentication fails, the MCP client displays an error message similar to:
    {"error": "Unauthorized", "message": "Missing or invalid headers: API_KEY, USER_NAME, Authorization or X-AUTH"}
  • Depending on the MCP client implementation (for example, Microsoft Copilot or other MCP-compatible clients), additional error messages might appear indicating that OAuth authentication failed.
Note: Error messages might vary depending on the MCP client used.
Token handling
  • The MCP client automatically manages access token refresh when the token expires.
  • You are not required to manually refresh tokens during normal operation.
Authentication methods

MCP inbound supports OAuth-based authentication using standard identity providers, including:

  • OIDC (OpenID Connect)
  • SAML-based authentication

The authentication experience (for example, login prompts or consent screens) depends on the configured identity provider.