Teach your bot to fetch MCP JWTs from LIME and call federated tools with Bearer — machine-only, no browser.
| Role | Responsibility |
|---|---|
| Agent runtime | Request MCP JWT from LIME, call external MCP with Bearer. |
| LIME OAuth | Validates X-Agent-Token, returns signed access_token (JWT). |
| External MCP server | Verifies JWT (see mcp-server guide). |
Only what you implement in this role. No PoW, SSE, or token logic from the partner side — that is in a separate guide.
Create an agent in the LIME dashboard and copy agent_token once into LIME_AGENT_TOKEN. This is the long-lived secret for your worker — not the MCP JWT.
Tip: Do not send MCP JWT to LIME business APIs as X-Agent-Token.
POST /api/v1/modules/oauth/token with header X-Agent-Token and empty body {}. Response data.access_token is a JWT for external MCP servers (aud=mcp).
# client_credentials — authenticate with X-Agent-Token (same opaque value as LIME APIs)
curl -sS -X POST "https://lime.pics/api/v1/modules/oauth/token" \
-H "Accept: application/json" \
-H "X-Agent-Token: {your_agent_token}"Set Authorization: Bearer <access_token> on MCP HTTP/SSE requests. Cache the token until near exp; on 401 from MCP RS, fetch a fresh token.
# pip install lime-agents-sdk
# Agent process -> mint MCP JWT and send Bearer to your MCP server
import asyncio
from lime_agents import LimeAgent
MCP_URL = "https://your-mcp-server.example/mcp"
async def main() -> None:
agent = LimeAgent() # LIME_AGENT_TOKEN
token = await agent.get_mcp_access_token()
print(token[:24], "...")
tools = await agent.list_tools(MCP_URL) # uses MCP OAuth bearer automatically
print(len(tools))
await agent.aclose()
asyncio.run(main())MCP JWTs are short-lived. On 401 from the resource server, POST /oauth/token again — no user interaction.
Tip: Do not send MCP JWT to LIME business APIs as X-Agent-Token.
The resource server operator verifies your Bearer JWT with JWKS and enforces tool ACLs. You never run TokenVerifier on the agent side.
Other side implementation → MCP server (passport verification)
Agent calls POST /oauth/token, receives access_token, successfully invokes MCP tools with Authorization: Bearer until expiry; refreshes on 401.
MCP access_token carries agent_id in sub — the same value sites store after binding and read after headless login:
Users may have linked this agent to a local account on a partner site. MCP JWT sub still identifies the agent globally.
Approving site login is separate from MCP token issuance. Same agent_token, different JWT audiences (lime-site-login vs mcp).