JWT Passthrough
JWT passthrough allows users to access internal MCP servers using their SSO identity without entering separate credentials. When enabled, Willow captures the user's JWT at login and passes it automatically to internal MCP servers. Users authenticate once and Willow handles token refresh transparently.
Prerequisites
- SSO must already be configured (see Configure SSO)
- Your internal MCP servers must accept JWT tokens in the
Authorization: Bearer <token>header - Your IdP must support refresh tokens
Enable JWT passthrough
- Go to Admin → Settings → Authentication Settings
- Scroll to your configured SSO provider
- Check Enable passthrough refresh token
- The OIDC Token Endpoint is auto-discovered from your IdP's
.well-known/openid-configuration. Verify it is correct. - Select Save Changes
Configure your internal MCP servers
Your internal MCP servers must:
- Accept JWT tokens in the
Authorization: Bearer <token>header - Validate tokens against your IdP's JWKS endpoint
- Extract user identity from standard claims (
sub,email,preferred_username)
Register the internal MCP in Willow
- Go to Build > MCP Servers
- Open the server's edit page, or add a new custom server pointing to your internal endpoint (see Add an MCP Server)
- Open the Setup tab
- Select Proxy Passthrough
- Select Save Changes
See Configure MCP Server Authentication for details on Proxy Passthrough.
How token refresh works
Willow stores encrypted OAuth credentials (access token + refresh token) at login. When a token expires, Willow automatically refreshes it from your IdP's token endpoint and passes the new token to the MCP server, transparently and without user action.
Troubleshoot
"No OAuth credentials found for user": The user must log out and log back in to capture credentials.
"Organization does not have OIDC token endpoint configured": Go to Admin → Settings → Authentication Settings, check the OIDC Token Endpoint field, and enter the endpoint manually if needed.
"Failed to refresh token" / "invalid_grant": The refresh token has expired. The user must log out and back in. Check your IdP's refresh token lifetime settings.
Token endpoint auto-discovery not working: Visit https://your-idp.com/.well-known/openid-configuration in a browser to verify the token_endpoint field exists, then paste it manually into the Willow configuration.