Authentication is the first layer of Argus MCP's security model. It verifies the identity of every incoming MCP client connection before any tool call reaches a backend.
Auth Modes
Argus supports four incoming authentication modes:
| Mode | Security Level | Use Case |
|---|---|---|
anonymous | None | Local development, trusted networks |
local | Basic | Single-user with a management token |
jwt | Strong | Multi-user with external identity provider |
oidc | Strong | OpenID Connect with automatic discovery |
Note:
For full configuration reference including all fields, examples, and identity model details, see Configuration — Authentication.
Security Defaults
- Default mode:
anonymous— no authentication required - Management API: Always requires a bearer token regardless of auth mode
- Identity propagation: Authenticated identity is attached to the request context and available to authorization, audit, and middleware
Recommendations
- Use
jwtoroidcfor any production deployment - Always set a strong
management_token(or usesecret:mgmt_tokenreference) - Enable audit logging to track authentication events
- Combine with Authorization for fine-grained access control