> For the complete documentation index, see [llms.txt](https://mariadb.com/docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://mariadb.com/docs/tools/mariadb-enterprise-mcp-server/authentication/token-management.md).

# Token Management

Token management is a critical part of the system's security, handled primarily by the RAG API.

## **Token Generation**

The process involves two main steps:

### **Step 1: User Registration**

```mermaid
graph TD
    A[User] -->|Sends Email & Password| B(POST /register)
    B --> C[Hash Password with bcrypt]
    C --> D[Store User in Database]
```

### **Step 2: User Login & Token Generation**

```mermaid
graph TD
    A[User] -->|Sends Credentials| B(POST /token)
    B --> C[Verify Credentials in DB]
    C --> D[Determine User Roles]
    D --> E[Generate JWT Token]
    E --> F[Return Token to User]
```

## **Token Usage**

Once a client has a JWT, it includes it in the `Authorization` header of every request to the MCP Server. The server then validates the token before processing the request.

```mermaid
sequenceDiagram
    participant Client
    participant MCP Server
    participant RAG API
    participant Database

    Client->>MCP Server: Tool Call + JWT Token
    
    Note over MCP Server: 1. Extract Token<br/>2. Verify JWT Signature
    
    MCP Server->>Database: 3. Validate User in DB
    Database-->>MCP Server: User Record
    
    Note over MCP Server: (If RAG tool is called)
    MCP Server->>RAG API: 4. Forward Request + Token
    Note over RAG API: 5. Verify Token Again
    RAG API-->>MCP Server: Processed Result
    
    MCP Server-->>Client: Response
```

## **Key Security Measures**

* **Signature Verification**: Prevents token tampering.
* **Expiration Check**: Tokens have a limited lifetime (e.g., 30 minutes).
* **Database Validation**: Ensures the user associated with the token still exists and is active.
* **Issuer/Audience Validation**: Prevents a token from one system from being used on another.
* **Not-Before Check**: Prevents a token from being used before it is valid

<sub>*This page is: Copyright © 2025 MariaDB. All rights reserved.*</sub>

{% @marketo/form formId="4316" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://mariadb.com/docs/tools/mariadb-enterprise-mcp-server/authentication/token-management.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.