Comment by mooreds

Yeah, I recently documented how to use pre-registered clients with FusionAuth[0] (my employer). DCR's newer, better sibling CIMD is on our radar and under active discussion[1], but not currently available.

An alternative to the proxy you suggest is to generate a new Entra client id (with PKCE enabled) for every MCP client in a developer portal or similar, then have the user configure their client with that client id. Here's the CLI command I found to do this[2], but I bet there's an API too. Here are config instructions for Claude Code[3] and ChatGPT[4].

Client pre-registration is acceptable, but not optimal, for developers, and is a first class citizen in the spec[5]. If your main audience is internal and you can expect them to follow configuration instructions to get access to the MCP server, this approach can work.

But it's definitely not acceptable for widespread, public integrations if your audience is not developers. That is where a lot of the power and opportunity for MCP lies.

0: https://fusionauth.io/docs/extend/examples/controlling-acces...

1: https://github.com/FusionAuth/fusionauth-issues/issues/3230

2: https://learn.microsoft.com/en-us/cli/azure/ad/app?view=azur...

3: https://code.claude.com/docs/en/mcp

4: https://developers.openai.com/api/docs/guides/developer-mode

5: https://modelcontextprotocol.io/specification/2025-11-25/bas...