Where to find the endpoints
Open the XAA Flow tab in MCPJam Inspector. At the top of the tab, expand the Use MCPJam as your test IdP card. It lists three copy-able URLs and the active signing key id (kid).
The three endpoints
| Endpoint | What it is | Where it goes |
|---|---|---|
| Issuer URL | The iss value MCPJam stamps on every assertion. | Register it as a trusted issuer at your authorization server. |
| OpenID configuration URL | The /.well-known/openid-configuration document. Advertises the issuer, JWKS URI, and supported grant types. | Most authorization servers discover the JWKS automatically from here. |
| JWKS URL | The public signing keys (/.well-known/jwks.json). | Register it directly if your authorization server doesn’t auto-discover from the OpenID configuration. |
Registering trust
- Copy the Issuer URL from the card. Also copy the JWKS URL if your authorization server asks for the key-set endpoint directly.
- In your authorization server — Okta, Auth0, Keycloak, or your own — register MCPJam’s issuer URL as the trusted identity issuer. The issuer is the trust anchor; use the JWKS URL only when the server explicitly asks for the key-set endpoint.
- Set the ID-JAG
audclaim to your authorization server’s own issuer. - Set the ID-JAG
resourceclaim to your MCP server’s resource identifier. - Register MCPJam as a client at your authorization server using the client ID from your XAA target configuration.
Vendor notes
- Okta — Native JWT-bearer support. Register MCPJam’s issuer URL as a trusted issuer; Okta discovers the keys from the OpenID configuration.
- Auth0 — Supported with configuration. Register MCPJam’s issuer as a trusted issuer and map subjects to Auth0 users; Auth0 fetches the JWKS from the issuer’s discovery document.
- Keycloak — Supports Token Exchange. Configure a brokered IdP that trusts MCPJam’s issuer.
Local mode
If you’re running the inspector locally, the endpoint URLs point at your own machine. Your authorization server can only reach them if it can route to that machine — expose the inspector through a public tunnel first.Next steps
- XAA Debugger — walk through and debug the full flow.
- Review the MCP authorization specification for XAA requirements.

