Redirect URI

This page explains how to use the Redirect URI identifier to identify MCP client workloads in Aembit.

Understanding the Redirect URI identifier

In OAuth 2.1, a redirect URI is the callback URL where the Authorization Server sends users after they authenticate. When an MCP client registers through Dynamic Client Registration (DCR), it provides its redirect URI.

In Aembit, the redirect URI serves a dual purpose: it’s both the OAuth callback URL and the identifier for your Client Workload. This enables granular Access Policies based on which MCP client is requesting access.

For example, if Gemini CLI registers with http://localhost:7777/oauth/callback, you configure a Client Workload with the Redirect URI identifier set to that value. This ensures only authorized MCP clients can obtain access tokens for your protected MCP servers.

For more about how redirect URIs work in MCP authorization flows, see Redirect URIs.

Applicable deployment type

This method is for MCP Authorization Server deployments. It identifies MCP clients that connect to MCP servers protected by Aembit’s MCP Authorization Server.

Create a Client Workload with a Redirect URI identifier

To configure a Client Workload using the Redirect URI identifier, follow these steps:

Log into your Aembit Tenant.
In the sidebar, click Client Workloads.
Click + New to open the Client Workload form.
Enter the Name and optional Description for the Client Workload.
Under Client Identification, select Redirect URI.

For Value, enter the redirect URI that your MCP client uses for OAuth callbacks.

For example: http://localhost:7777/oauth/callback

Optionally, add additional redirect URIs by clicking + to allow multiple MCP clients or multiple redirect URIs for a single client. If you don’t know the redirect URI for your MCP client, see Find the redirect URI.

The Redirect URI Client Workload Identifier is the only identifier type available for MCP Client Workloads. You can’t combine it with other identifier types such as Hostname or Source IP Address to narrow the scope. You can add multiple redirect URIs to a single Client Workload, but each URI grants access through the associated Access Policy using OR logic. Any MCP client whose redirect URI matches one of the configured values receives access.
To maintain precise control, assign one redirect URI per Client Workload and create separate Access Policies for each MCP client you want to manage independently.
Under MCP Authorization Configuration, configure the Enforce SSO option:
- On (default) - Users must authenticate through a configured identity provider during the OAuth flow. When Enforce SSO is on, a multi-select dropdown appears listing the SSO identity providers configured for your tenant. By default, Aembit selects all identity providers. Deselect any that you don’t want to appear on the MCP authentication page for this Client Workload.
- Off - The OAuth flow completes without user authentication.
For architecture diagrams comparing these flows, see MCP Authorization Server architecture.
Click Save.

Aembit displays the new Client Workload on the Client Workloads page.

Find the redirect URI

Each MCP client uses a specific redirect URI for OAuth callbacks. The following table lists redirect URIs for common MCP clients. Check your MCP client’s documentation to confirm its redirect URI.

Local development:

MCP client	Redirect URI
MCP Inspector	`http://localhost:6274/oauth/callback`
Gemini CLI	`http://localhost:7777/oauth/callback`

Remote or cloud-hosted:

MCP client	Redirect URI
Claude Desktop	`https://claude.ai/api/mcp/auth_callback`
Custom web app	`https://your-app.example.com/oauth/callback`

For custom MCP clients, check the client’s OAuth configuration or documentation for its redirect URI.