Secure Your MCP Server with C# and Auth0

Secure Your MCP Server with C# and Auth0

Secure Your MCP Server with C# and Auth0

As the Model Context Protocol (MCP) gains traction, developers face a critical challenge: securing enterprise-grade integrations. Treating every LLM request as an “admin” action risks exposing sensitive tools to unauthorized users. This article walks you through building a secure MCP server using C# and Auth0, with practical examples and actionable steps.

Why Protect an MCP Server?

Local MCP setups often share security boundaries between server and client. But when deployed as a shared service, this model breaks down. Two key risks emerge:

  • Prompt injection escalation: Malicious prompts could trick models into executing restricted commands.
  • Resource isolation failures: Junior developers might access tools reserved for lead engineers.

OAuth 2.1 support in the MCP specification addresses these issues by enabling granular authorization. Let’s implement a solution using the C# SDK and Auth0.

Build Your Secure MCP Server

Prerequisites

  • .NET SDK 10+
  • C# SDK for MCP
  • Auth0 account (free tier available)

Step 1: Create the Server Project

Install the MCP server template via the terminal:

dotnet new install Microsoft.McpServer.ProjectTemplates

Generate the project with:

dotnet new mcpserver -n AspNetCoreMcpServer -t remote

This creates an ASP.NET Core app using HTTP transport, which is required for OAuth integration.

Step 2: Implement Basic Tools

Edit RandomNumberTools.cs to define a public tool:

[McpServerTool]
public int GetRandomNumber(int min = 0, int max = 100) {

return Random.Shared.Next(min, max);
}

Register the tool in Program.cs:

builder.Services.AddMcpServer()

.WithHttpTransport()

.WithTools<RandomNumberTools>();

Step 3: Add Protected Tools

Create two new tools with authorization requirements:

[McpServerTool]
[RequiredScope("read:system-state")]
public string GetSystemState() { ... }

[McpServerTool]
[RequiredScope("write:system-state")]
public void SetSystemState(string newState) { ... }

These attributes enforce Auth0 scope validation at runtime.

Integrate with Auth0 for Authorization

Configure the server to use Auth0’s Dynamic Client Registration (DCR):

  1. Register your application in the Auth0 dashboard
  2. Configure the appsettings.json with client credentials
  3. Update Program.cs to use Auth0 middleware

Example configuration snippet:

builder.Services.AddAuthentication(options => {

options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options => {

options.Authority = "https://YOUR-AUTH0-DOMAIN";

options.Audience = "YOUR-API-AUDIENCE";
});

Test Your Secure MCP Server

1. Run the server and verify public tool access
2. Use VSCode with mcp.json configuration:

{

"servers": {

"AspNetCoreMcpServer": {

"url": "http://localhost:PORT",

"type": "http"

}

}
}

3. Test protected tools by authenticating via Auth0

Conclusion

By implementing OAuth 2.1 with the C# SDK and Auth0, you’ve created a secure MCP server that balances accessibility and protection. This approach ensures:

  • Public tools remain accessible
  • Protected tools require specific permissions
  • Defense-in-depth against prompt injection attacks

Try the sample project today and explore Auth for MCP for advanced security patterns. Your enterprise-grade MCP integrations are now one step closer to production readiness.

Useful Links

Our Content List