> ## Documentation Index
> Fetch the complete documentation index at: https://docs.grantex.dev/llms.txt
> Use this file to discover all available pages before exploring further.
# MCP Certification Guide
> Get your MCP server certified with the Grantex-Auth badge. Bronze, Silver, and Gold tiers.
## What Is MCP Certification?
The Grantex MCP Certification program verifies that your Model Context Protocol server implements OAuth 2.1 authorization correctly. Certified servers receive a badge, a listing in the Grantex MCP Registry, and visibility to 10,000+ developers using Grantex.
There are three tiers -- **Bronze**, **Silver**, and **Gold** -- each adding progressively stricter security and compliance requirements.
## Why It Matters
The MCP specification mandates OAuth 2.1 for transport-level auth, but there is no standard way to verify that an MCP server actually implements it correctly. Many servers ship with API keys, hardcoded tokens, or no auth at all.
Certification solves this:
* **For MCP server authors**: Prove your server meets OAuth 2.1 requirements. The badge signals production-readiness to potential users.
* **For MCP clients/users**: Find servers you can trust. Every certified server has passed automated conformance checks.
* **For enterprises**: Certification maps to compliance requirements (SOC 2 access controls, GDPR consent, OWASP Agentic Top 10).
## Certification Tiers
### Bronze -- Standard
The baseline tier. Your server implements the core OAuth 2.1 flow that the MCP specification requires.
**Requirements:**
| # | Check | Description |
| - | --------------------------- | -------------------------------------------------------------------------------------------- |
| 1 | OAuth 2.1 + PKCE S256 | Authorization code flow with PKCE S256 challenge. `plain` method rejected. |
| 2 | Dynamic Client Registration | RFC 7591 endpoint at `/register`. Returns `client_id` and `client_secret`. |
| 3 | Server metadata discovery | RFC 8414 endpoint at `/.well-known/oauth-authorization-server`. All required fields present. |
| 4 | Rate limiting | Token and authorize endpoints enforce request limits. |
**Benefits:**
* Listed in the Grantex MCP Registry
* Bronze badge for your README and documentation
### Silver -- Enhanced
Adds token lifecycle management and user-facing consent customization.
**Requirements (all Bronze requirements plus):**
| # | Check | Description |
| - | ------------------------ | --------------------------------------------------------------------------------- |
| 5 | Token introspection | RFC 7662 endpoint at `/introspect`. Returns `active` boolean plus token metadata. |
| 6 | Token revocation | RFC 7009 endpoint at `/revoke`. Always returns 200 OK per spec. |
| 7 | Consent UI customization | Custom app name, logo, privacy URL, and terms URL on the consent page. |
| 8 | Lifecycle hooks | `onTokenIssued` and `onRevocation` hooks for audit logging. |
**Benefits:**
* Featured placement in the MCP Registry
* Silver badge
* Priority support channel
### Gold -- Production
The highest tier. Demonstrates production-grade infrastructure, delegation support, and full protocol compliance.
**Requirements (all Silver requirements plus):**
| # | Check | Description |
| -- | ----------------------- | ----------------------------------------------------------------------------------------------- |
| 9 | Persistent client store | Client registrations stored in a durable database (not in-memory). |
| 10 | Resource indicators | RFC 8707 support for audience-restricted tokens. |
| 11 | Delegation support | Grantex SPEC Section 9 delegation with `parentAgt`, `parentGrnt`, and `delegationDepth` claims. |
| 12 | Budget enforcement | Budget allocation and debit support for cost-controlled agent operations. |
| 13 | Full conformance suite | Pass all checks in the `@grantex/conformance` test suite. |
**Benefits:**
* Top placement in the MCP Registry
* Gold badge with verification link
* Listed on the Grantex landing page
* Co-marketing opportunities
## Conformance Checks
The Grantex conformance suite runs 13 automated checks against your server. You can run them locally before applying:
```bash theme={null}
npx @grantex/conformance \
--issuer https://your-mcp-server.example.com \
--tier gold
```
### Check Details
| # | Check | What It Verifies |
| -- | ------------------------- | ----------------------------------------------------------------------------------------- |
| 1 | `metadata-discovery` | `GET /.well-known/oauth-authorization-server` returns valid JSON with all required fields |
| 2 | `pkce-s256-required` | Authorization requests without `code_challenge` or with `plain` method are rejected (400) |
| 3 | `dcr-registration` | `POST /register` creates a client and returns `client_id` + `client_secret` |
| 4 | `authorization-code-flow` | Full authorize -> callback -> token exchange flow succeeds |
| 5 | `code-single-use` | Replaying an authorization code returns 400 |
| 6 | `rate-limiting` | Exceeding request limits returns 429 |
| 7 | `introspection-active` | `POST /introspect` with valid token returns `active: true` and correct metadata |
| 8 | `introspection-expired` | `POST /introspect` with expired/revoked token returns `active: false` |
| 9 | `revocation` | `POST /revoke` returns 200 and subsequent introspection shows `active: false` |
| 10 | `consent-ui` | Consent page renders with custom app name and logo |
| 11 | `persistent-clients` | Client registrations survive server restart |
| 12 | `delegation-claims` | Delegated tokens include `parentAgt`, `parentGrnt`, `delegationDepth` claims |
| 13 | `budget-enforcement` | Token exchange respects budget allocation; debit reduces remaining balance |
Bronze requires checks 1-6. Silver requires checks 1-10. Gold requires all 13.
## How to Apply
### Step 1: Implement the requirements
If you are using `@grantex/mcp-auth`, most requirements are met automatically:
```typescript theme={null}
import { Grantex } from '@grantex/sdk';
import { createMcpAuthServer } from '@grantex/mcp-auth';
const server = await createMcpAuthServer({
grantex: new Grantex({
baseUrl: 'https://grantex-auth-dd4mtrt2gq-uc.a.run.app',
apiKey: process.env.GRANTEX_API_KEY!,
}),
agentId: 'ag_your_server',
scopes: ['tools:read', 'tools:execute'],
issuer: 'https://your-mcp-server.example.com',
// Silver: consent UI customization
consentUi: {
appName: 'My MCP Server',
appLogo: 'https://example.com/logo.png',
privacyUrl: 'https://example.com/privacy',
termsUrl: 'https://example.com/terms',
},
// Silver: lifecycle hooks
hooks: {
onTokenIssued: async (event) => {
console.log(`Token issued: ${event.grantId}`);
},
onRevocation: async (jti) => {
console.log(`Token revoked: ${jti}`);
},
},
// Gold: persistent client store
clientStore: new PostgresClientStore(),
});
```
### Step 2: Run the conformance suite
```bash theme={null}
npx @grantex/conformance \
--issuer https://your-mcp-server.example.com \
--tier gold \
--output results.json
```
The suite outputs a JSON report with pass/fail status for each check.
### Step 3: Submit for certification
Once all checks pass, submit your server for certification via the Grantex portal:
1. Go to the [Grantex Dashboard](https://grantex.dev/dashboard)
2. Navigate to **MCP Servers** > **Apply for Certification**
3. Enter your server URL and upload the conformance results
4. Your server will be reviewed and listed within 48 hours
Alternatively, use the CLI:
```bash theme={null}
npx @grantex/cli mcp-servers certify \
--url https://your-mcp-server.example.com \
--tier gold \
--results results.json
```
## Displaying the Badge
Once certified, add the badge to your README:
### Markdown
```markdown theme={null}
[](https://grantex.dev/mcp-registry/your-server)
```
### HTML
```html theme={null}
```
### Shield.io dynamic badge
```markdown theme={null}
```
The dynamic badge automatically updates if your certification tier changes.
## Recertification
Certification is valid for **12 months**. Before expiry:
1. Run the conformance suite against your current deployment
2. Submit updated results via the portal or CLI
3. Certification is renewed automatically if all checks pass
If your server fails recertification, the badge is downgraded and you have 30 days to fix issues before being delisted.
## FAQ
No. Any OAuth 2.1 implementation that passes the conformance suite qualifies. `@grantex/mcp-auth` is the fastest path because it handles all requirements out of the box, but you can build your own auth server and still get certified.
Yes. Bronze and Silver certification are free. Gold certification is free for open-source MCP servers. Commercial servers on the Pro or Enterprise plan can certify for free; others pay a one-time review fee.
Yes. Start with Bronze, add introspection and revocation for Silver, then add persistent storage and delegation for Gold. Each upgrade is a new conformance run and submission.
Grantex monitors certified servers with periodic health checks. If your metadata endpoint is unreachable for more than 72 hours, your listing is temporarily hidden until it recovers.
Bronze and Silver certifications are fully automated -- results are available instantly after the conformance suite passes. Gold certification includes a manual review and is typically completed within 48 hours.
## Related
* [MCP Auth Server](/features/mcp-auth-server) -- Full feature documentation
* [Conformance Suite](/integrations/conformance) -- Running conformance tests
* [MCP Server (13 tools)](/integrations/mcp) -- Grantex MCP server for Claude Desktop/Cursor
* [Security Best Practices](/guides/security-best-practices) -- Token verification and key rotation