auth0 · jtemporal · Feb 3, 2026 · Jan 22, 2026 · Jan 22, 2026 · Jan 22, 2026
@@ -9,6 +9,13 @@ twitter:title: "Auth0 for AI Agents Product Updates"
 twitter:description: "Product updates changelog and release notes"
 permalink: "/changelog/product-updates"
 ---
+
+<Update label="Jan 30, 2026" tags={["Auth for MCP", "Quickstart"]}>
+  Added a new quickstart in Auth for MCP: "Control Access to MCP Tools with FGA"
+
+  [View all Auth for MCP Quickstarts here.](/mcp/get-started/overview)
+</Update>
+
 <Update label="Sept 19, 2025" tags={["Integrations"]}>
   Added support for new Integrations. AI Agents can now connect to:
   - Basecamp
@@ -21,7 +28,6 @@ permalink: "/changelog/product-updates"
   [View all supported Integrations here.](/integrations/overview)
 </Update>
 
-
 <Update label="Sept 17, 2025" tags={["Integrations"]}>
   Added support for new Integrations. AI Agents can now connect to:
   - Amazon

@@ -184,7 +184,8 @@
             "pages": [
               "mcp/get-started/overview",
               "mcp/get-started/authorization-for-your-mcp-server",
-              "mcp/get-started/call-your-apis-on-users-behalf"
+              "mcp/get-started/call-your-apis-on-users-behalf",
+              "mcp/get-started/secure-mcp-server-with-auth0-fga"
             ]
           },{
             "group": "Sample Apps",

@@ -12,6 +12,7 @@ permalink: "/mcp/get-started/call-your-apis-on-users-behalf"
 
 import MCPGetStartedPrerequisites from "/snippets/mcp/get-started/pre-reqs/prerequisites.mdx";
 import MCPGetStartedConfigTenantSettings from "/snippets/mcp/get-started/config-tenant/config-tenant-settings.mdx";
+import MCPGetStartedCreateRoles from "/snippets/mcp/get-started/config-tenant/roles-management.mdx";
 import CreateProfile from "/snippets/mcp/get-started/create-custom-token-exchange-profile.mdx";
 import CreateMCPAPI from "/snippets/mcp/get-started/create-mcp-api.mdx";
 import AssignPermissionsToRoles from "/snippets/mcp/get-started/config-tenant/assign-permissions-to-roles.mdx";
@@ -35,8 +36,14 @@ By the end of this quickstart, you should have an MCP server that can:
 
 <MCPGetStartedPrerequisites />
 
+## Configure tenant settings
+
+<AccordionGroup>
 <MCPGetStartedConfigTenantSettings />
 
+<MCPGetStartedCreateRoles />
+</AccordionGroup>
+
 ## Set up the Auth0 Applications and APIs
 
 When an MCP server needs to call underlying APIs, it needs to perform a Custom Token Exchange to obtain an access token with the audience set to the API rather than the MCP server itself. Because of this architecture, the MCP server acts in a dual role.

@@ -24,4 +24,9 @@ Secure your MCP servers, enable API access, and implement standards-based client
 <Card title ="Call Your APIs on User's Behalf" icon="shapes" href="./call-your-apis-on-users-behalf" iconType="solid" vertical>
   Enable your MCP servers to make calls to your protected first-party APIs
 </Card>
+
+<Card title="Secure MCP Server with Auth0 FGA" icon="shield" href="./secure-mcp-server-with-auth0-fga" iconType="solid" vertical>
+  Implement fine-grained authorization for your MCP tools with roles, groups, and temporal access
+</Card>
+
 </Columns>
@@ -0,0 +1,283 @@
+---
+title: Control Access to MCP Tools with FGA
+description: Learn how to implement fine-grained authorization for your MCP server tools using Auth0 FGA with roles, groups, and temporal access.
+sidebarTitle: Control Access to MCP Tools
+og:title: "Control Access to MCP Tools with FGA - Auth for MCP Quickstart"
+og:description: "Learn how to implement fine-grained authorization for your MCP server tools using Auth0 FGA."
+og:url: "https://auth0.com/ai/docs"
+twitter:title: "Control Access to MCP Tools with FGA - Auth for MCP Quickstart"
+twitter:description: "Learn how to implement fine-grained authorization for your MCP server tools using Auth0 FGA."
+permalink: "/mcp/get-started/secure-mcp-server-with-auth0-fga"
+---
+
+import MCPGetStartedPrerequisites from "/snippets/mcp/get-started/pre-reqs/prerequisites.mdx";
+import MCPGetStartedConfigTenantSettings from "/snippets/mcp/get-started/config-tenant/config-tenant-settings.mdx";
+import CreateMCPAPI from "/snippets/mcp/get-started/create-mcp-api.mdx";
+import FGACLIInstallation from "/snippets/mcp/get-started/fga/fga-cli-installation.mdx";
+import FGAStoreSetupOverview from "/snippets/mcp/get-started/fga/fga-store-setup-overview.mdx";
+import SetupFGAStoreCLI from "/snippets/mcp/get-started/fga/setup-fga-store-cli.mdx";
+import FGAModelExplanation from "/snippets/mcp/get-started/fga/fga-model-explanation.mdx";
+import CreateEnvFileFGA from "/snippets/mcp/get-started/fga/create-env-file-fga.mdx";
+import ManagingPermissions from "/snippets/mcp/get-started/fga/managing-permissions.mdx";
+import MCPGetStartedTestingInstructions from "/snippets/mcp/get-started/testing-instructions.mdx";
+import { DownloadQuickstartButton } from "/snippets/download-quickstart/DownloadQuickstartButton.jsx";
+
+Fine-grained authorization goes beyond simple scope-based access control by enabling sophisticated permission models based on relationships between users, roles, groups, and resources. This quickstart demonstrates how to use [Auth0 FGA](https://auth0.com/fine-grained-authorization) to implement [Relationship-Based Access Control (ReBAC)](https://docs.fga.dev/authorization-concepts#what-is-relationship-based-access-control) for your MCP server tools.
+
+The sample application showcases five authorization patterns:
+
+1. **Public Tools** - Accessible to all authenticated users without additional permissions
+2. **Role-Based Access** - Tools assigned to specific roles (`admin`, `content_editor`)
+3. **Group Membership** - Users inherit permissions through group membership (managers, marketing)
+4. **Temporal Access** - Time-limited tool access with automatic expiration
+5. **Resource-Specific Permissions** - Fine-grained control over tool features (e.g., viewing private documents)
+
+By the end of this quickstart, you will have an MCP server that:
+* Authenticates users with Auth0 OAuth 2.0
+* Uses Auth0 FGA to determine which tools each user can access
+* Dynamically filters tool lists based on user permissions
+* Supports time-limited access grants that automatically expire
+* Provides different data based on user roles (public vs private documents)
+
+<MCPGetStartedPrerequisites />
+
+Now install and setup the dependencies for FGA:
+
+<AccordionGroup>
+  <Accordion title="1. Install the FGA CLI">
+    <FGACLIInstallation />
+  </Accordion>
+
+  <Accordion title="2. Set up Auth0 FGA or OpenFGA">
+    <FGAStoreSetupOverview />
+  </Accordion>
+</AccordionGroup>
+
+## Configure tenant settings
+
+<MCPGetStartedConfigTenantSettings />
+
+## Create an API to represent your MCP server
+
+<CreateMCPAPI />
+
+<Info>
+This quickstart uses two OAuth scopes for demonstration: `tool:greet` and `tool:whoami`. The `get_datetime` tool is public and doesn't require scopes, while `get_documents` uses FGA for authorization.
+</Info>
+
+## Set up your FGA store
+
+<SetupFGAStoreCLI />
+
+## Sample app
+
+Start by downloading or cloning the sample app for this quickstart. The sample includes a FastMCP MCP server with Auth0 OAuth and Auth0 FGA integration in JavaScript/TypeScript.
+
+<Tabs>
+  <Tab title="Use sample app (recommended)">
+    <DownloadQuickstartButton
+      category="auth-for-mcp"
+      framework="fastmcp-mcp-fga-js"
+    />
+
+    Once downloaded, extract the files and open the project in your preferred IDE.
+  </Tab>
+
+  <Tab title="Clone GitHub repository">
+    Clone the repository and navigate to the sample app folder:
+
+    ```shell wrap lines
+    git clone https://github.com/auth0-samples/auth0-ai-samples.git
+    cd auth0-ai-samples/auth-for-mcp/fastmcp-mcp-fga-js
+    ```
+
+    Once cloned, open the project in your preferred IDE.
+  </Tab>
+</Tabs>
+
+## Install packages
+
+Install the required dependencies:
+
+```shell
+npm install
+```
+
+## Create your environment file
+
+<CreateEnvFileFGA />
+
+## Understanding the authorization model
+
+<FGAModelExplanation />
+
+## Import the authorization model and tuples
+
+The sample includes a complete authorization model and initial permission tuples that define:
+- Public access to `get_datetime` for all users
+- Role assignments (`admin`, `content_editor`)
+- Group-to-role mappings (`managers` → `admin`, `marketing` → `content_editor`)
+- Tool access permissions for each role
+
+<Steps>
+  <Step title="Review the authorization model">
+    The authorization model is defined in `fga/model.fga`. It includes types for users, groups, roles, and tools, plus a temporal access condition.
+
+    The initial tuples are defined in `fga/tuples.yaml` and establish the baseline permissions.
+  </Step>
+
+  <Step title="Import the model and tuples">
+    From the root of your sample app directory, run:
+
+    ```shell wrap lines
+    fga store import --file fga/store.fga.yaml
+    ```
+
+    This command will:
+    1. Create a new FGA store (if using OpenFGA locally)
+    2. Upload the authorization model from `fga/model.fga`
+    3. Import the initial tuples from `fga/tuples.yaml`
+    4. Run tests defined in `fga/store.fga.yaml` to verify the setup
+
+    <Note>
+    If using OpenFGA, the command output will include a store ID. Copy this ID and add it to your `.env` file as `FGA_STORE_ID`. If using Auth0 FGA with existing store, the command will update your store with the new model and tuples.
+    </Note>
+  </Step>
+
+  <Step title="Verify the import">
+    If the import is successful, you should see output similar to:
+
+    ```json
+    {
+      "store": {
+        "id": "01KB0NZZFAV9AX7SAPWY23KJAF",
+        "name": "fastmcp-fga-example",
+        "created_at": "2025-01-22T10:30:00Z",
+        "updated_at": "2025-01-22T10:30:00Z"
+      },
+      "model": {
+        "authorization_model_id": "01KED54TEMBDE753YBK7NT3DRZ"
+      }
+    }
+    ```
+
+    The tests at the end should show all checks passing, confirming that the authorization model is working correctly.
+  </Step>
+</Steps>
+
+<Info>
+You can view and manage your authorization model in the [Auth0 FGA Dashboard](https://dashboard.fga.dev) if you're using Auth0 FGA. The dashboard provides a visual Model Explorer and allows you to view, add, and delete tuples in real-time.
+</Info>
+
+## Run the MCP server
+
+Start the MCP server:
+
+```shell
+npm run start
+```
+
+The server will start on port 3001 (or the port specified in your `.env` file). You should see console output indicating:
+- The server has started successfully
+- FGA client has been initialized
+- The server is listening for connections at `http://localhost:3001/mcp`
+
+```
+FastMCP Auth0 Example Server started
+FGA client initialized for store: 01KB0NZZFAV9AX7SAPWY23KJAF
+Server listening on http://localhost:3001/mcp
+```
+
+Leave the server running for testing in the next sections.
+
+## Manage user permissions
+
+<ManagingPermissions />
+
+<MCPGetStartedTestingInstructions />
+
+### Test authorization scenarios
+
+Now test different authorization scenarios to see how FGA controls tool access. You'll need to use an MCP client like [MCP Inspector](https://github.com/modelcontextprotocol/inspector) to connect to your server.
+
+<Steps>
+  <Step title="Test baseline access">
+    Connect to your MCP server using your user credentials. Initially, you should only see the public tool.
+
+    **Expected tools**: `get_datetime`
+
+    This demonstrates that without any role or group assignments, authenticated users only have access to public tools.
+  </Step>
+
+  <Step title="Grant admin access via managers group">
+    Add your user to the managers group to grant admin role permissions:
+
+    ```shell wrap lines
+    ./fga/add-user-to-group.sh YOUR_EMAIL managers
+    ```
+
+    Replace `YOUR_EMAIL` with the email address you use to authenticate.
+
+    Reconnect in your MCP client and verify you now see all tools.
+
+    **Expected tools**: `get_datetime`, `greet`, `whoami`, `get_documents`
+
+    Call the `get_documents` tool and verify that you see both public and private documents in the response. This demonstrates resource-specific permissions based on the admin role.
+
+    <Tip>
+    In MCP Inspector, you'll need to disconnect and reconnect (or refresh the connection) after changing permissions. The server queries FGA on each new connection to determine available tools.
+    </Tip>
+  </Step>
+
+  <Step title="Test content editor role">
+    Switch from admin to content editor by changing group membership:
+
+    ```shell wrap lines
+    ./fga/remove-user-from-group.sh YOUR_EMAIL managers
+    ./fga/add-user-to-group.sh YOUR_EMAIL marketing
+    ```
+
+    Reconnect in your MCP client.
+
+    **Expected tools**: `get_datetime`, `greet`, `whoami`, `get_documents`
+
+    Call the `get_documents` tool and verify that you now see only public documents (no private documents). This demonstrates how the same tool can provide different data based on user roles.
+
+    **Key difference**: Content editors have access to the same tools as admins but don't have the `can_view_private_documents` permission.
+  </Step>
+
+  <Step title="Test temporal access">
+    Remove all group memberships and grant time-limited access to a specific tool:
+
+    ```shell wrap lines
+    ./fga/remove-user-from-group.sh YOUR_EMAIL marketing
+    ./fga/add-temporal-access.sh YOUR_EMAIL greet 20s
+    ```
+
+    This grants 20 seconds of access to the `greet` tool.
+
+    **Immediately reconnect** in your MCP client.
+
+    **Expected tools**: `get_datetime`, `greet`
+
+    Call the `greet` tool to verify it works.
+
+    **Wait 25 seconds** and reconnect again.
+
+    **Expected tools**: `get_datetime` (only)
+
+    The `greet` tool should no longer appear. This demonstrates automatic expiration of temporal access without any cleanup required.
+
+    <Warning>
+    Temporal access is evaluated in real-time on each request. Once the duration expires, FGA automatically denies access even if the tuple still exists in the database.
+    </Warning>
+  </Step>
+</Steps>
+
+
+## Next steps
+
+* Learn about the simpler scope-based approach in [Authorization for Your MCP Server](./authorization-for-your-mcp-server)
+* Explore [Auth0 FGA documentation](https://auth0.com/fine-grained-authorization) to learn more about designing authorization models
+* Read about [OpenFGA](https://openfga.dev/docs) for advanced modeling patterns and best practices
+* Learn how to [test your MCP server with MCP Inspector](/mcp/guides/test-your-mcp-server-with-mcp-inspector)
@@ -1,6 +1,4 @@
-## Configure tenant settings
 
-<AccordionGroup>
   <Accordion title="1. Promote the connection to a domain-level connection">
     To allow third-party clients like MCP Inspector to use a connection such as a username-and-password database or a social connection, you need to promote the connection to a domain-level connection. [Learn more about enabling third-party applications](https://auth0.com/docs/get-started/applications/confidential-and-public-applications/enable-third-party-applications).
     <Steps>
@@ -24,40 +22,3 @@
       </Step>
     </Steps>
   </Accordion>
-  <Accordion title="2. Create roles (optional)">
-    The sample application in this quickstart is prepared to show different tools depending on the role of a given user. For example, a Tool Administrator will have access to different tools than a Tool User.
-
-    <Warning>If you decide to skip this step, you'll only have access to the tool `get_current_time`, which is the only tool in the sample apps that doesn't require any permissions.</Warning>
-
-    If your application doesn't require that level of access, i.e., all users have access to available tools, this step is not required for your use case.
-
-    Let's create roles that allow you to control which users can access which tools.
-
-    For each role you need (e.g., "Tool Administrator", "Tool User"), run the create command as below.
-
-    ```shell wrap lines
-# Example for an admin role
-    auth0 roles create --name "Tool Administrator" --description "Grants access to all MCP tools"
-
-# Example for a basic user role
-    auth0 roles create --name "Tool User" --description "Grants access to basic MCP tools"
-    ```
-
-    Save the IDs from the output (they start with `rol_`), as you'll need them in a later step to assign permissions and users to these roles.
-  </Accordion>
-  <Accordion title="3. Assign roles to users (optional)">
-    <Warning>If you skipped creating roles in the step above, you can skip this step as well.</Warning>
-
-    Find users and assign them to the roles. You can search by their email address:
-
-    ```shell wrap lines
-    auth0 users search --query "email:\"example@google.com\""
-    ```
-
-    Copy the user ID (`USERID`) from the last command's output, then assign the role to the user:
-
-    ```shell wrap lines
-    auth0 users roles assign "USER_ID_HERE" --roles "YOUR_ROLE_ID_HERE"
-    ```
-  </Accordion>
-</AccordionGroup>