Skip to main content

What Is MCP Certification?

The Grantex MCP Certification program verifies that your Model Context Protocol server implements OAuth 2.1 authorization correctly. Certified servers receive a badge, a listing in the Grantex MCP Registry, and visibility to 10,000+ developers using Grantex. There are three tiers — Bronze, Silver, and Gold — each adding progressively stricter security and compliance requirements.

Why It Matters

The MCP specification mandates OAuth 2.1 for transport-level auth, but there is no standard way to verify that an MCP server actually implements it correctly. Many servers ship with API keys, hardcoded tokens, or no auth at all. Certification solves this:
  • For MCP server authors: Prove your server meets OAuth 2.1 requirements. The badge signals production-readiness to potential users.
  • For MCP clients/users: Find servers you can trust. Every certified server has passed automated conformance checks.
  • For enterprises: Certification maps to compliance requirements (SOC 2 access controls, GDPR consent, OWASP Agentic Top 10).

Certification Tiers

Bronze — Standard

The baseline tier. Your server implements the core OAuth 2.1 flow that the MCP specification requires. Requirements:
#CheckDescription
1OAuth 2.1 + PKCE S256Authorization code flow with PKCE S256 challenge. plain method rejected.
2Dynamic Client RegistrationRFC 7591 endpoint at /register. Returns client_id and client_secret.
3Server metadata discoveryRFC 8414 endpoint at /.well-known/oauth-authorization-server. All required fields present.
4Rate limitingToken and authorize endpoints enforce request limits.
Benefits:
  • Listed in the Grantex MCP Registry
  • Bronze badge for your README and documentation

Silver — Enhanced

Adds token lifecycle management and user-facing consent customization. Requirements (all Bronze requirements plus):
#CheckDescription
5Token introspectionRFC 7662 endpoint at /introspect. Returns active boolean plus token metadata.
6Token revocationRFC 7009 endpoint at /revoke. Always returns 200 OK per spec.
7Consent UI customizationCustom app name, logo, privacy URL, and terms URL on the consent page.
8Lifecycle hooksonTokenIssued and onRevocation hooks for audit logging.
Benefits:
  • Featured placement in the MCP Registry
  • Silver badge
  • Priority support channel

Gold — Production

The highest tier. Demonstrates production-grade infrastructure, delegation support, and full protocol compliance. Requirements (all Silver requirements plus):
#CheckDescription
9Persistent client storeClient registrations stored in a durable database (not in-memory).
10Resource indicatorsRFC 8707 support for audience-restricted tokens.
11Delegation supportGrantex SPEC Section 9 delegation with parentAgt, parentGrnt, and delegationDepth claims.
12Budget enforcementBudget allocation and debit support for cost-controlled agent operations.
13Full conformance suitePass all checks in the @grantex/conformance test suite.
Benefits:
  • Top placement in the MCP Registry
  • Gold badge with verification link
  • Listed on the Grantex landing page
  • Co-marketing opportunities

Conformance Checks

The Grantex conformance suite runs 13 automated checks against your server. You can run them locally before applying: 
npx @grantex/conformance \
  --issuer https://your-mcp-server.example.com \
  --tier gold

Check Details

#CheckWhat It Verifies
1metadata-discoveryGET /.well-known/oauth-authorization-server returns valid JSON with all required fields
2pkce-s256-requiredAuthorization requests without code_challenge or with plain method are rejected (400)
3dcr-registrationPOST /register creates a client and returns client_id + client_secret
4authorization-code-flowFull authorize -> callback -> token exchange flow succeeds
5code-single-useReplaying an authorization code returns 400
6rate-limitingExceeding request limits returns 429
7introspection-activePOST /introspect with valid token returns active: true and correct metadata
8introspection-expiredPOST /introspect with expired/revoked token returns active: false
9revocationPOST /revoke returns 200 and subsequent introspection shows active: false
10consent-uiConsent page renders with custom app name and logo
11persistent-clientsClient registrations survive server restart
12delegation-claimsDelegated tokens include parentAgt, parentGrnt, delegationDepth claims
13budget-enforcementToken exchange respects budget allocation; debit reduces remaining balance
Bronze requires checks 1-6. Silver requires checks 1-10. Gold requires all 13.

How to Apply

Step 1: Implement the requirements

If you are using @grantex/mcp-auth, most requirements are met automatically: 
import { Grantex } from '@grantex/sdk';
import { createMcpAuthServer } from '@grantex/mcp-auth';

const server = await createMcpAuthServer({
  grantex: new Grantex({
    baseUrl: 'https://grantex-auth-dd4mtrt2gq-uc.a.run.app',
    apiKey: process.env.GRANTEX_API_KEY!,
  }),
  agentId: 'ag_your_server',
  scopes: ['tools:read', 'tools:execute'],
  issuer: 'https://your-mcp-server.example.com',
  // Silver: consent UI customization
  consentUi: {
    appName: 'My MCP Server',
    appLogo: 'https://example.com/logo.png',
    privacyUrl: 'https://example.com/privacy',
    termsUrl: 'https://example.com/terms',
  },
  // Silver: lifecycle hooks
  hooks: {
    onTokenIssued: async (event) => {
      console.log(`Token issued: ${event.grantId}`);
    },
    onRevocation: async (jti) => {
      console.log(`Token revoked: ${jti}`);
    },
  },
  // Gold: persistent client store
  clientStore: new PostgresClientStore(),
});

Step 2: Run the conformance suite

npx @grantex/conformance \
  --issuer https://your-mcp-server.example.com \
  --tier gold \
  --output results.json
The suite outputs a JSON report with pass/fail status for each check.

Step 3: Submit for certification

Once all checks pass, submit your server for certification via the Grantex portal:
  1. Go to the Grantex Dashboard
  2. Navigate to MCP Servers > Apply for Certification
  3. Enter your server URL and upload the conformance results
  4. Your server will be reviewed and listed within 48 hours
Alternatively, use the CLI: 
npx @grantex/cli mcp-servers certify \
  --url https://your-mcp-server.example.com \
  --tier gold \
  --results results.json

Displaying the Badge

Once certified, add the badge to your README:

Markdown

[![Grantex-Auth Certified: Gold](https://img.shields.io/badge/Grantex--Auth-Gold-ffd700?logo=data:image/svg+xml;base64,...)](https://grantex.dev/mcp-registry/your-server)

HTML

<a href="https://grantex.dev/mcp-registry/your-server">
  <img src="https://grantex.dev/badges/mcp-auth-gold.svg"
       alt="Grantex-Auth Certified: Gold" />
</a>

Shield.io dynamic badge

![Grantex-Auth](https://img.shields.io/endpoint?url=https://grantex.dev/api/badges/your-server-id)
The dynamic badge automatically updates if your certification tier changes.

Recertification

Certification is valid for 12 months. Before expiry:
  1. Run the conformance suite against your current deployment
  2. Submit updated results via the portal or CLI
  3. Certification is renewed automatically if all checks pass
If your server fails recertification, the badge is downgraded and you have 30 days to fix issues before being delisted.

FAQ

No. Any OAuth 2.1 implementation that passes the conformance suite qualifies. @grantex/mcp-auth is the fastest path because it handles all requirements out of the box, but you can build your own auth server and still get certified.
Yes. Bronze and Silver certification are free. Gold certification is free for open-source MCP servers. Commercial servers on the Pro or Enterprise plan can certify for free; others pay a one-time review fee.
Yes. Start with Bronze, add introspection and revocation for Silver, then add persistent storage and delegation for Gold. Each upgrade is a new conformance run and submission.
Grantex monitors certified servers with periodic health checks. If your metadata endpoint is unreachable for more than 72 hours, your listing is temporarily hidden until it recovers.
Bronze and Silver certifications are fully automated — results are available instantly after the conformance suite passes. Gold certification includes a manual review and is typically completed within 48 hours.