> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get the consent URL for per-user MCP server authorization

> Returns the per-subject auth status for the MCP server. When `status` is `authentication_required`, the response additionally includes an `authorization_endpoint`: a single MCP-gateway-proxied consent URL that seeds the chained consent flow for the requested server. For virtual MCP servers the chain walks every source still needing auth before landing the user on the tenant control-plane `mcp-server-success` page.



## OpenAPI

````yaml /openapi.json get /api/svc/v1/mcp/{mcpServerId}/authorize
openapi: 3.1.0
info:
  title: TrueFoundry API
  description: API for TrueFoundry
  version: 0.1.0
  contact: {}
servers:
  - url: https://{controlPlaneURL}
    variables:
      controlPlaneURL:
        default: app.truefoundry.com
        description: Control Plane URL
security: []
tags:
  - name: Agent
  - name: Agent Skills
  - name: Applications
  - name: Metrics
  - name: Apply
  - name: Artifacts
  - name: Audit Logs
  - name: Clusters
  - name: Jobs
  - name: Logs
  - name: MCP Servers V2
  - name: MLRepos
  - name: Model Deployments
  - name: Models
  - name: Personal Access Tokens
  - name: Prompts
  - name: Provider Integrations
  - name: SCIM v2
  - name: Secret Groups
  - name: Secrets
  - name: Teams
  - name: Traces
  - name: Users
  - name: Virtual Accounts
  - name: Role Bindings
  - name: Workspaces
paths:
  /api/svc/v1/mcp/{mcpServerId}/authorize:
    get:
      tags:
        - MCP Servers V2
      summary: Get the consent URL for per-user MCP server authorization
      description: >-
        Returns the per-subject auth status for the MCP server. When `status` is
        `authentication_required`, the response additionally includes an
        `authorization_endpoint`: a single MCP-gateway-proxied consent URL that
        seeds the chained consent flow for the requested server. For virtual MCP
        servers the chain walks every source still needing auth before landing
        the user on the tenant control-plane `mcp-server-success` page.
      operationId: MCPServerV2.authorize
      parameters:
        - name: mcpServerId
          required: true
          in: path
          description: MCP server id (the `id` returned by `GET /v1/mcp`, not the `name`).
          schema:
            example: mcp-01HXYZ...
            type: string
        - name: gatewayBaseURL
          required: false
          in: query
          description: >-
            Base URL of the MCP gateway (used as the resource indicator and to
            substitute `{{mcpProxyBaseURL}}` for the proxied MCP server URL).
            Defaults to the tenant's `gateway-default` installation URL when
            omitted.
          schema:
            type: string
            nullable: true
        - name: redirectURL
          required: false
          in: query
          description: >-
            URL to redirect the user to after completing the OAuth consent flow.
            Defaults to the tenant's `mcp-server-success` control-plane page
            when omitted.
          schema:
            type: string
            nullable: true
        - name: gatewayBaseURL
          required: false
          in: query
          description: >-
            Base URL of the MCP gateway (used as the resource indicator and to
            substitute `{{mcpProxyBaseURL}}` for the proxied MCP server URL).
            Defaults to the tenant's `gateway-default` installation URL when
            omitted.
          schema:
            type: string
            nullable: true
        - name: redirectURL
          required: false
          in: query
          description: >-
            URL to redirect the user to after completing the OAuth consent flow.
            Defaults to the tenant's `mcp-server-success` control-plane page
            when omitted.
          schema:
            type: string
            nullable: true
      responses:
        '200':
          description: >-
            Per-subject auth status; the AUTHENTICATION_REQUIRED branch carries
            the consent URL to open.
          content:
            application/json:
              schema:
                oneOf:
                  - $ref: '#/components/schemas/MCPServerAuthStatusAuthenticated'
                  - $ref: '#/components/schemas/MCPServerAuthorizeAuthRequired'
                  - $ref: '#/components/schemas/MCPServerAuthStatusAuthNotRequired'
                discriminator:
                  propertyName: status
        '400':
          description: Invalid query (e.g. malformed gateway base URL).
        '404':
          description: MCP server not found.
      security:
        - jwt: []
components:
  schemas:
    MCPServerAuthStatusAuthenticated:
      type: object
      properties:
        status:
          type: string
          enum:
            - authenticated
            - authentication_required
            - authentication_not_required
        method:
          type: string
          enum:
            - oauth
            - auth-override
          description: Authentication source that satisfied this status.
          nullable: true
      required:
        - status
      title: MCPServerAuthStatusAuthenticated
      x-fern-type-name: MCPServerAuthStatusAuthenticated
    MCPServerAuthorizeAuthRequired:
      type: object
      properties:
        status:
          type: string
          enum:
            - authenticated
            - authentication_required
            - authentication_not_required
        method:
          type: string
          enum:
            - oauth
            - auth-override
          description: Authentication source that satisfied this status.
          nullable: true
        reason:
          type: string
          description: >-
            Why the subject has authentication required status (e.g.
            `refresh_failed`, `invalid_grant`).
          example: User needs to complete the OAuth2 authorization flow.
          nullable: true
        authorization_endpoint:
          type: string
          description: >-
            Gateway-proxied consent URL the FE opens in a popup to start the
            per-user consent flow.
      required:
        - status
        - authorization_endpoint
      title: MCPServerAuthorizeAuthRequired
      x-fern-type-name: MCPServerAuthorizeAuthRequired
    MCPServerAuthStatusAuthNotRequired:
      type: object
      properties:
        status:
          type: string
          enum:
            - authenticated
            - authentication_required
            - authentication_not_required
        reason:
          type: string
          description: >-
            Why per-subject auth is not applicable for this server
            configuration.
          example: This MCP server has no authentication configured.
      required:
        - status
        - reason
      title: MCPServerAuthStatusAuthNotRequired
      x-fern-type-name: MCPServerAuthStatusAuthNotRequired
  securitySchemes:
    jwt:
      type: http
      scheme: bearer
      bearerFormat: JWT

````