Introducing TollBit Tokens

We’re excited to announce a preview of TollbitTokens, an authorization system for your MCP servers to authorize and block incoming traffic.

When a user makes a tool call through TollBit’s MCP server, we will generate a signed JWT that contains the user’s identity and the tool they are calling. This JWT is then sent to your MCP server in the Authorization header under _meta in the ToolCall to your own MCP server.

The token gives you the ability to:

  1. Reject traffic from sources outside of TollBit. For paid servers + tools, you can rely on this signed JWT to ensure that an exchange of payment has been done.

  2. Identify which users are calling your tools. The JWT contains the user’s TollBit ID, which you can use for a variety of reasons. Some may include: track sessions to a given user, implement your own rate limiting, or general insights into who is using your server and how often.

Format for the TollBit token

The TollBit token is a signed JWT that contains the following claims:

  • iss: The issuer of the token, which is always https://gateway.tollbit.com/foundry.
  • sub: The subject of the token, which is the user’s TollBit ID.
  • aud: The audience of the token, which is the host of your MCP server.
  • iat: The issued at time, which is the time the token was issued.
  • nbf: The not before time, which is set to 1 minute before the iat time to prevent replay attacks.
  • exp: The expiration time, which is set to 5 minutes after the iat time.
  • jti: A unique identifier for the token, which is the transaction ID of the tool call. You can cross reference this transaction ID in your dashboard. This should be treated as a nonce to prevent replay attacks.

The public key for the signature is available at https://oauth.tollbit.com/.well-known/jwks.json with the key id mcp_key_01, though this may change in the future.

We recommend that you can use the kid header in the JWT to determine which key to use for verification. Many JWT libraries will handle this automatically, but if you are using a lower-level library, you may need to implement this yourself.

Example of a TollBit token

eyJhbGciOiJFUzI1NiIsImtpZCI6Im1jcF9rZXlfMDEiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL21jcC5leGFtcGxlLmNvbSIsImV4cCI6MTc1MDk2MTAzOSwiaWF0IjoxNzUwOTYwNzM5LCJpc3MiOiJodHRwczovL2dhdGV3YXkudG9sbGJpdC5jb20vZm91bmRyeSIsImp0aSI6InR4LTEyMzQ1IiwibmJmIjoxNzUwOTYwNjc5LCJzdWIiOiJ0ZXN0LXVzZXItaWQifQ.3gEkFa-CbJYDZLnoy0OuOR2zWkMDxsNRC-LMnWytHguNdc7GmpCxYbuMGk3vj0Oa4P-qIqnwRafZ2Nn2YFXlwA

You can plug this into jwt.io to see the decoded claims and verify the signature. To verify the signature, you can use the public key available at https://oauth.tollbit.com/.well-known/jwks.json with the key id mcp_key_01.

At the time of posting this, it should be:

{
    "use": "sig",
    "kty": "EC",
    "kid": "mcp_key_01",
    "crv": "P-256",
    "alg": "ES256",
    "x": "deBDoq4rRQzBotQOXD7gXiXWPc5PZ1MzUY94CCTAemw",
    "y": "05VqJFBtLis5V3MJEcl8RkT_4eV2fiUb0wrSAZRseF4"
}