Skip to main content
Private BetaContact us to get set up.
Internal MCP servers are services you operate—data platforms, internal APIs, custom tooling. The Tool Hub connects to them using your existing identity infrastructure, so users access internal tools with their actual credentials.
Industry Standard — This architecture implements Cross-App Access (XAA), the emerging standard for enterprise-governed app-to-app connections. The underlying protocol—Identity Assertion Authorization Grant (ID-JAG)—is now part of the MCP authorization specification (SEP-990). See IDP Requirements for the compatibility list.
One-time IDP setup required. Unlike basic SSO (which only needs IDP configuration in the Char dashboard), Remote MCP requires your IDP admin to register Char and grant token exchange permissions. See Setup Requirements for details.

The problem

You have internal services. You want AI agents to use them. But you don’t want to create service accounts, manage API keys, or build custom integrations for every service. You already have an identity provider. Your users already authenticate. Why can’t the AI agent just use the same identity? With Char, they can. Users sign into your application once. From that point, internal MCP servers are accessible without additional login prompts or OAuth consent screens—the token exchange happens entirely server-to-server.

How it works

The user’s identity flows from your application through the embedded agent to the Tool Hub. When the user calls an internal tool, the Hub exchanges that token for a scoped credential via your IDP—the same IDP the user already authenticated with. This is ID-JAG—Identity Assertion Authorization Grant—a token exchange flow that produces credentials scoped to the specific MCP server. Your MCP server validates the ID-JAG against the same IDP it already trusts for SSO. No service accounts. No credential sprawl. Just your existing federated identity infrastructure extended to AI tooling.

What you get

Identity-scoped access. Users can only do what they’re already allowed to do. The AI agent inherits their permissions, not elevated service account privileges. Org-level configuration. An admin registers the connector once. It becomes available to users based on their role and which applications they’re using. Centralized visibility. All tool calls flow through the Tool Hub. You see what’s being called, by whom, with what arguments. One audit trail for all internal services.

See also

Remote MCP Auth

ID-JAG specification

VPC Connectivity

Connect to servers in private networks