MCP tools acting on‑behalf‑of users in IBM watsonx Orchestrate enable agents to perform actions just as users would. Impersonated tools boost efficiency by automating tasks securely and seamlessly. With OAuth On‑Behalf‑Of (OBO) flows and SSO (Single Sign On), users authenticate once while agents work transparently in the background.

Niklas Heidloff

A walkthrough of how IBM watsonx Orchestrate enables MCP tools to act on behalf of users using OAuth On-Behalf-Of (OBO) flows and SSO. Users authenticate once via an identity provider (Okta), and agents transparently pass JWT tokens to MCP tools. The post covers setting up FastMCP with JWT verification, implementing RBAC via Orchestrate plug-ins that check user roles before agent invocation, configuring OAuth token exchange connections, and embedding a secure web chat widget in custom frontends. Code examples cover the MCP server setup, role-checking plugin, CLI commands for connection configuration, and the embedded chat script.

MCP Tools acting On‑Behalf‑Of Users in Orchestrate Agents