Problem Description
Organizations that manage private documentation in GitHub repositories often enforce access control through Microsoft Entra ID (Azure AD), either via GitHub Enterprise SAML SSO or internal compliance requirements.
Currently, Context7's private repository support authenticates MCP consumers through Context7's own OAuth 2.0 layer, which breaks this requirement.
This means teams who want to expose their private docs to customers' AI agents (Claude, Copilot, Cursor, etc.) via MCP cannot use Context7, not because of a missing indexing feature, but purely because of an authentication mismatch.
Proposed Solution
Allow organizations on the Pro or Enterprise plan to configure Microsoft Entra ID as the identity provider for their private MCP endpoints.
Concretely:
- Accept an Entra ID tenant ID + application (client) ID during MCP server setup.
- Enforce bearer token validation against that Entra ID tenant on every MCP request.
- Publish /.well-known/oauth-protected-resource metadata pointing to the Entra ID authorization server, so MCP clients (Claude Code, VS Code, etc.) can complete the OAuth flow automatically without manual token management.
The indexing side (reading the private GitHub repo) remains unchanged, only the consumer-facing auth layer changes.
Alternatives Considered
No response
Priority
Blocking my usage
Additional Context
Microsoft Entra ID is the dominant identity provider in enterprise environments.
The MCP spec's authorization section explicitly supports this pattern via protected resource metadata
(/.well-known/oauth-protected-resource), and Claude Code, VS Code Copilot, and Cursor all support automatic OAuth discovery from that endpoint, meaning once you publish the metadata, clients handle the login flow with zero configuration on the developer's side.
Azure itself is shipping this exact pattern in its App Service built-in MCP feature (currently in preview), which demonstrates that the demand is real and the standard is settled.
Context7 supporting Entra ID would make it the simplest end-to-end solution for enterprise teams , no custom MCP server, no Azure App Service setup, no API to build.
Problem Description
Organizations that manage private documentation in GitHub repositories often enforce access control through Microsoft Entra ID (Azure AD), either via GitHub Enterprise SAML SSO or internal compliance requirements.
Currently, Context7's private repository support authenticates MCP consumers through Context7's own OAuth 2.0 layer, which breaks this requirement.
This means teams who want to expose their private docs to customers' AI agents (Claude, Copilot, Cursor, etc.) via MCP cannot use Context7, not because of a missing indexing feature, but purely because of an authentication mismatch.
Proposed Solution
Allow organizations on the Pro or Enterprise plan to configure Microsoft Entra ID as the identity provider for their private MCP endpoints.
Concretely:
The indexing side (reading the private GitHub repo) remains unchanged, only the consumer-facing auth layer changes.
Alternatives Considered
No response
Priority
Blocking my usage
Additional Context
Microsoft Entra ID is the dominant identity provider in enterprise environments.
The MCP spec's authorization section explicitly supports this pattern via protected resource metadata
(/.well-known/oauth-protected-resource), and Claude Code, VS Code Copilot, and Cursor all support automatic OAuth discovery from that endpoint, meaning once you publish the metadata, clients handle the login flow with zero configuration on the developer's side.
Azure itself is shipping this exact pattern in its App Service built-in MCP feature (currently in preview), which demonstrates that the demand is real and the standard is settled.
Context7 supporting Entra ID would make it the simplest end-to-end solution for enterprise teams , no custom MCP server, no Azure App Service setup, no API to build.