Skip to content

feat(mcp): multi-tenant Entra ID validation + Azure APIM docs#2629

Open
fahreddinozcan wants to merge 2 commits into
masterfrom
ctx7-1655-azure-apim-integration
Open

feat(mcp): multi-tenant Entra ID validation + Azure APIM docs#2629
fahreddinozcan wants to merge 2 commits into
masterfrom
ctx7-1655-azure-apim-integration

Conversation

@fahreddinozcan
Copy link
Copy Markdown
Contributor

@fahreddinozcan fahreddinozcan commented May 15, 2026

Summary

  • packages/mcp/src/lib/jwt.ts: replaces single-tenant env-var Entra config with dynamic per-teamspace config fetched from context7app's /api/v2/entra/config/[audience] endpoint. On success, returns an entra payload (teamspaceId, oid, email, name) so the request handler can resolve a per-user Context7 identity.
  • Per-tenant JWKS cache and a 5-minute in-memory config cache keyed by JWT audience.
  • New enterprise docs page docs/enterprise/azure-apim.mdx covering two patterns: shared identity (deployable today, single Context7 teamspace key behind APIM) and per-user identity (in development, native Entra validation at the Context7 MCP server).

Test plan

  • pnpm typecheck clean in packages/mcp
  • Legacy Clerk JWT validation still works (no Entra config required)
  • With companion PR upstash/context7app#659 deployed and a teamspace config populated in Redis, MCP server validates Entra tokens end-to-end via Azure APIM gateway
  • Unknown audience returns 401 with Unknown audience error
  • Missing required scope returns 401 with Missing required scope error

Related

  • Companion PR: upstash/context7app#659

@fahreddinozcan
feat(mcp): multi-tenant Entra ID validation
5acdc55 
jwt.ts now fetches per-teamspace Entra config from context7app's
/api/v2/entra/config/[audience] endpoint, enabling per-user identity
for customers using Azure API Management in front of mcp.context7.com.
Per-tenant JWKS cache and 5-minute in-memory config cache. Also adds
the Azure APIM enterprise integration docs page covering both the
shared-identity (today) and per-user-identity (in development) patterns.
@linear
Copy link
Copy Markdown

linear Bot commented May 15, 2026

CTX7-1655

@mintlify
Copy link
Copy Markdown

mintlify Bot commented May 15, 2026
edited
Loading

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
context7 🟢 Ready View Preview May 15, 2026, 2:45 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@fahreddinozcan
test(mcp): cover jwt validation routing + changeset
5ea68c7 
Adds vitest coverage for the new multi-tenant Entra path in jwt.ts:
issuer detection, config fetch + caching, audience and scope rejection,
and the unchanged Clerk fallback. Mocks jose and global fetch so the
tests don't depend on network or real crypto. Includes a minor-bump
changeset for the @upstash/context7-mcp package.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fahreddinozcan