googleapis
diff --git a/‎docs/en/documentation/configuration/authentication/generic.md‎
Lines changed: 12 additions & 21 deletions b/‎docs/en/documentation/configuration/authentication/generic.md‎
Lines changed: 12 additions & 21 deletions
diff --git a/‎docs/en/documentation/configuration/authentication/google.md‎
Lines changed: 55 additions & 30 deletions b/‎docs/en/documentation/configuration/authentication/google.md‎
Lines changed: 55 additions & 30 deletions
diff --git a/‎internal/auth/auth.go‎
Lines changed: 18 additions & 0 deletions b/‎internal/auth/auth.go‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎internal/auth/generic/generic.go‎
Lines changed: 30 additions & 10 deletions b/‎internal/auth/generic/generic.go‎
Lines changed: 30 additions & 10 deletions
@@ -48,7 +48,7 @@ When a request is received in this mode, the service will:
 #### Example
 
 ```yaml
-kind: authServices
+kind: authService
 name: my-generic-auth
 type: generic
 audience: ${YOUR_OIDC_AUDIENCE}
@@ -112,7 +112,7 @@ When a request is received in this mode, the service will:
 #### Example
 
 ```yaml
-kind: authServices
+kind: authService
 name: my-generic-auth
 type: generic
 audience: ${YOUR_TOKEN_AUDIENCE}
@@ -123,28 +123,19 @@ scopesRequired:
   - write
 ```
 
-#### Google Opaque Access Token Validation Example
+#### Google Authentication Note
 
-To use Google's `tokeninfo` endpoint for validating opaque access tokens, configure the service to use the `GET` method and `access_token` parameter name:
-
-```yaml
-kind: authServices
-name: google-auth
-type: generic
-audience: "YOUR_GOOGLE_CLIENT_ID.apps.googleusercontent.com"
-authorizationServer: https://accounts.google.com
-introspectionEndpoint: https://www.googleapis.com/oauth2/v3/tokeninfo
-introspectionMethod: GET
-introspectionParamName: access_token
-mcpEnabled: true
-```
+> [!WARNING]
+> Do not configure Google's tokeninfo endpoint (`https://oauth2.googleapis.com/tokeninfo`) using `type: generic`. Because the generic OIDC service strictly enforces the presence and validity of the `active` claim (RFC 7662), and Google's tokeninfo endpoint does not return this claim, validation will fail.
+>
+> To authenticate with Google tokens, use the native [Google Sign-In](./google.md) auth service (`type: google`) instead, which natively handles Google's endpoints and token formats.
 
 #### Okta OIDC Configuration Example
 
 To secure your MCP server or tools using Okta as the identity provider:
 
 ```yaml
-kind: authServices
+kind: authService
 name: okta-auth
 type: generic
 audience: api://default # Or your custom Okta audience
@@ -197,7 +188,7 @@ ${ENV_NAME} instead of hardcoding your secrets into the configuration file.
 | audience               |  string  |     true     | The expected audience (`aud` claim) in the token. This ensures the token was minted specifically for your application. See [Getting Started](#getting-started) for details on OIDC audience matching. |
 | authorizationServer    |  string  |     true     | The base URL of your OIDC provider. The service will append `/.well-known/openid-configuration` to discover the JWKS URI. HTTP is allowed but logs a warning.                                         |
 | mcpEnabled             |   bool   |    false     | Indicates if MCP endpoint authentication should be applied. Defaults to false.                                                                                                                        |
-| scopesRequired         | []string |    false     | A list of required scopes that must be present in the token's `scope` claim to be considered valid.                                                                                                   |
-| introspectionEndpoint  |  string  |    false     | Optional override for the token introspection URL. Useful if the provider does not list it in OIDC discovery (e.g., Google).                                                                          |
-| introspectionMethod    |  string  |    false     | HTTP method to use for introspection. Defaults to "POST". Set to "GET" for providers like Google.                                                                                                     |
-| introspectionParamName |  string  |    false     | Parameter name for the token in the introspection request. Defaults to "token". Set to "access_token" for Google.                                                                                     |
+| scopesRequired         | []string |    false     | A list of required scopes that must be present in the token's `scope` claim to be considered valid. Disallowed if `mcpEnabled` is false.                                                             |
+| introspectionEndpoint  |  string  |    false     | Optional override for the token introspection URL. Useful if the provider does not list it in OIDC discovery (e.g., Google). Disallowed if `mcpEnabled` is false.                                   |
+| introspectionMethod    |  string  |    false     | HTTP method to use for introspection. Defaults to "POST". Set to "GET" for providers like Google. Disallowed if `mcpEnabled` is false.                                                               |
+| introspectionParamName |  string  |    false     | Parameter name for the token in the introspection request. Defaults to "token". Set to "access_token" for Google. Disallowed if `mcpEnabled` is false.                                               |
@@ -3,57 +3,82 @@ title: "Google Sign-In"
 type: docs
 weight: 1
 description: >
-  Use Google Sign-In for Oauth 2.0 flow and token lifecycle.
+  Use Google Sign-In for OAuth 2.0 flow and token lifecycle.
 ---
 
 ## Getting Started
 
-Google Sign-In manages the OAuth 2.0 flow and token lifecycle. To integrate the
-Google Sign-In workflow to your web app [follow this guide][gsi-setup].
+Google Sign-In manages the OAuth 2.0 flow and token lifecycle. To integrate the Google Sign-In workflow to your web app, [follow this guide][gsi-setup].
 
-After setting up the Google Sign-In workflow, you should have registered your
-application and retrieved a [Client ID][client-id]. Configure your auth service
-in with the `Client ID`.
+After setting up Google Sign-In, configure your auth service in the toolbox. The Google auth provider supports two distinct validation modes:
 
-[gsi-setup]: https://developers.google.com/identity/sign-in/web/sign-in
-[client-id]: https://developers.google.com/identity/sign-in/web/sign-in#create_authorization_credentials
+1. **Web App Claims (OIDC)**: Used to authenticate user requests in web applications.
+2. **MCP Authorization**: Used to secure the entire MCP server transport (SSE or Stdio).
 
-## Behavior
+[gsi-setup]: https://developers.google.com/identity/sign-in/web/sign-in
 
-### Authorized Invocations
+## Configuration Modes
 
-When using [Authorized Invocations][auth-invoke], a tool will be
-considered authorized if it has a valid Oauth 2.0 token that matches the Client
-ID.
+### 1. Web App OIDC Authentication
+If you are developing a web application using the Toolbox and need to retrieve user claims from Google ID tokens sent in custom request headers, configure the `clientId` field.
 
-[auth-invoke]: ../tools/_index.md#authorized-invocations
+- **Header**: Expects the token in the `<name>_token` header (e.g. `my-google-auth_token`).
+- **Token Type**: Google OIDC ID tokens (JWT).
 
-### Authenticated Parameters
+#### Example
+```yaml
+kind: authService
+name: my-google-auth
+type: google
+clientId: ${YOUR_GOOGLE_CLIENT_ID}
+```
 
-When using [Authenticated Parameters][auth-params], any [claim provided by the
-id-token][provided-claims] can be used for the parameter.
+---
 
-[auth-params]: ../tools/_index.md#authenticated-parameters
-[provided-claims]:
-    https://developers.google.com/identity/openid-connect/openid-connect#obtaininguserprofileinformation
+### 2. MCP Authorization
+To secure all endpoints on your MCP server using Google OAuth tokens, enable `mcpEnabled` and specify the `audience` field.
 
-## Example
+- **Header**: Expects the token in the standard `Authorization: Bearer <token>` header.
+- **Token Type**: Supports both Google **ID tokens (JWT)** and Google **opaque access tokens**.
 
+#### Example
 ```yaml
 kind: authService
 name: my-google-auth
 type: google
-clientId: ${YOUR_GOOGLE_CLIENT_ID}
+audience: ${YOUR_GOOGLE_CLIENT_ID}
+mcpEnabled: true
+scopesRequired:
+  - https://www.googleapis.com/auth/userinfo.email
 ```
 
-{{< notice tip >}}
-Use environment variable replacement with the format ${ENV_NAME}
-instead of hardcoding your secrets into the configuration file.
-{{< /notice >}}
+> [!IMPORTANT]
+> - For **ID tokens (JWT)**: Local cryptographic signature verification is performed, which requires `audience` to be configured. If `audience` is not set, the provider will fall back to using `clientId`. If neither is configured, validation will fail.
+> - For **Opaque tokens**: The provider automatically queries Google's secure tokeninfo endpoint (`https://oauth2.googleapis.com/tokeninfo`) and validates the resulting audience against the configured `audience` field (falling back to `clientId` if `audience` is not set).
+
+---
+
+## Behavior
+
+### Authorized Invocations
+When using [Authorized Invocations][auth-invoke], a tool will be considered authorized if it has a valid OAuth 2.0 token that matches the Client ID or Audience.
+
+[auth-invoke]: ../tools/_index.md#authorized-invocations
+
+### Authenticated Parameters
+When using [Authenticated Parameters][auth-params], any [claim provided by the id-token][provided-claims] can be used for the parameter.
+
+[auth-params]: ../tools/_index.md#authenticated-parameters
+[provided-claims]: https://developers.google.com/identity/openid-connect/openid-connect#obtaininguserprofileinformation
+
+---
 
 ## Reference
 
-| **field** | **type** | **required** | **description**                                                  |
-|-----------|:--------:|:------------:|------------------------------------------------------------------|
-| type      |  string  |     true     | Must be "google".                                                |
-| clientId  |  string  |     true     | Client ID of your application from registering your application. |
+| **field**      | **type** | **required** | **description**                                                                                                                              |
+|----------------|:--------:|:------------:|----------------------------------------------------------------------------------------------------------------------------------------------|
+| type           |  string  |     true     | Must be "google".                                                                                                                            |
+| clientId       |  string  |    false     | Client ID of your application. Required for validating ID tokens in non-MCP web apps (`GetClaimsFromHeader`), and acts as a fallback for `audience` in MCP auth mode if `audience` is not configured. |
+| audience       |  string  |    false     | Expected audience. Required for validating ID tokens in MCP Auth mode (unless `clientId` is configured as a fallback). If specified, also validates opaque token audiences. Disallowed if `mcpEnabled` is false. |
+| mcpEnabled     |   bool   |    false     | Enforces global MCP transport authentication using the `Authorization: Bearer` header. Defaults to false.                                    |
+| scopesRequired | []string |    false     | A list of required scopes that must be present in the token's claims/metadata to be considered valid. Disallowed if `mcpEnabled` is false. |
@@ -32,3 +32,21 @@ type AuthService interface {
 	GetClaimsFromHeader(context.Context, http.Header) (map[string]any, error)
 	ToConfig() AuthServiceConfig
 }
+
+// MCPAuthError represents an error during MCP authentication validation.
+type MCPAuthError struct {
+	Code           int
+	Message        string
+	ScopesRequired []string
+}
+
+func (e *MCPAuthError) Error() string { return e.Message }
+
+// MCPAuthService is the interface for authentication services that support MCP auth.
+type MCPAuthService interface {
+	AuthService
+	IsMCPEnabled() bool
+	GetScopesRequired() []string
+	GetAuthorizationServer() string
+	ValidateMCPAuth(context.Context, http.Header) (map[string]any, error)
+}
@@ -57,6 +57,20 @@ func (cfg Config) AuthServiceConfigType() string {
 
 // Initialize a generic auth service
 func (cfg Config) Initialize() (auth.AuthService, error) {
+	if !cfg.McpEnabled {
+		if cfg.IntrospectionEndpoint != "" {
+			return nil, fmt.Errorf("`introspectionEndpoint` is not allowed when `mcpEnabled` is false")
+		}
+		if cfg.IntrospectionMethod != "" {
+			return nil, fmt.Errorf("`introspectionMethod` is not allowed when `mcpEnabled` is false")
+		}
+		if cfg.IntrospectionParamName != "" {
+			return nil, fmt.Errorf("`introspectionParamName` is not allowed when `mcpEnabled` is false")
+		}
+		if len(cfg.ScopesRequired) > 0 {
+			return nil, fmt.Errorf("`scopesRequired` is not allowed when `mcpEnabled` is false")
+		}
+	}
 	httpClient := newSecureHTTPClient()
 
 	// Discover OIDC endpoints
@@ -157,7 +171,7 @@ func discoverOIDCConfig(client *http.Client, AuthorizationServer string) (jwksUR
 	return config.JwksUri, config.IntrospectionEndpoint, config.Issuer, nil
 }
 
-var _ auth.AuthService = AuthService{}
+var _ auth.MCPAuthService = AuthService{}
 
 // struct used to store auth service info
 type AuthService struct {
@@ -182,6 +196,18 @@ func (a AuthService) GetName() string {
 	return a.Name
 }
 
+func (a AuthService) IsMCPEnabled() bool {
+	return a.McpEnabled
+}
+
+func (a AuthService) GetScopesRequired() []string {
+	return a.ScopesRequired
+}
+
+func (a AuthService) GetAuthorizationServer() string {
+	return a.AuthorizationServer
+}
+
 // Verifies generic JWT access token inside the Authorization header
 func (a AuthService) GetClaimsFromHeader(ctx context.Context, h http.Header) (map[string]any, error) {
 	if a.McpEnabled {
@@ -230,13 +256,7 @@ func (a AuthService) GetClaimsFromHeader(ctx context.Context, h http.Header) (ma
 }
 
 // MCPAuthError represents an error during MCP authentication validation.
-type MCPAuthError struct {
-	Code           int
-	Message        string
-	ScopesRequired []string
-}
-
-func (e *MCPAuthError) Error() string { return e.Message }
+type MCPAuthError = auth.MCPAuthError
 
 // ValidateMCPAuth handles MCP auth token validation
 func (a AuthService) ValidateMCPAuth(ctx context.Context, h http.Header) (map[string]any, error) {
@@ -386,7 +406,7 @@ func (a AuthService) validateOpaqueToken(ctx context.Context, tokenStr string) (
 		return nil, fmt.Errorf("failed to parse introspection response: %w", err)
 	}
 
-	if introspectResp.Active != nil && !*introspectResp.Active {
+	if introspectResp.Active == nil || !*introspectResp.Active {
 		logger.InfoContext(ctx, "token is not active")
 		return nil, &MCPAuthError{Code: http.StatusUnauthorized, Message: "token is not active", ScopesRequired: a.ScopesRequired}
 	}
@@ -476,7 +496,7 @@ func (a AuthService) validateClaims(ctx context.Context, iss string, aud []strin
 
 	// Check scopes
 	if len(a.ScopesRequired) > 0 {
-		tokenScopes := strings.Split(scopeStr, " ")
+		tokenScopes := strings.Fields(scopeStr)
 		scopeMap := make(map[string]bool)
 		for _, s := range tokenScopes {
 			scopeMap[s] = true