[Documentation request] Authentication architecture suggestions

[hansmbakker]

It would be great if the documentation website had a few pointers on authentication architecture choices.

Imagine you have an existing ASP.NET Core API project which already has its own AzureAD authentication + JWT Bearer authentication for development (with dotnet user-jwts). I think this is a common scenario for people wanting to add MCP functionality to their existing solution.

It would be great to read something about setting that up, and about the choices that can be made there:

• one project vs multiple projects:
  • putting both the MCP and normal API endpoints in the same project. This adds some complexity regarding coexistence of authentication schemes. I see for MCP a different scheme is needed.
  • factoring out the business logic into a common project that is referenced by a REST API project and a MCP server project
• one app registration vs multiple app registrations in Entra ID?

Searched:

• https://github.com/modelcontextprotocol/csharp-sdk/discussions?discussions_q=authentication only lists questions from 2025 (before v1.0 was released)
• https://www.google.com/search?q=adding+mcp+server+to+existing+asp.net+core+api+project yields no recent articles that cover coexisting authentication options on v1.0
• https://devblogs.microsoft.com/dotnet/release-v10-of-the-official-mcp-csharp-sdk/ has no info on cover coexisting authentication options
• These two documentation pages might be helpful:
  • https://learn.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-10.0#use-multiple-authentication-schemes
  • https://learn.microsoft.com/en-us/aspnet/core/security/authentication/policyschemes?view=aspnetcore-10.0#jwt-with-multiple-schemes

[hansmbakker]

#968 might be related