Maximo MCP logoMaximo MCP
Enterprise-Grade Security

Supercharge Maximo with AI

Connect your Maximo environment to Claude.ai, Claude Desktop, or any AI agent — secured by OAuth 2.1, JWE encryption, and a zero-knowledge token architecture.

Start Free Trial Read Documentation

How Authentication Works

Every request goes through a battle-tested security pipeline — from your browser to Maximo.

1

Authenticate

You log in via Clerk. Your subscription plan and features are embedded as signed session claims — no round-trips needed.

2

Authorize

OAuth 2.1 Authorization Code flow with mandatory PKCE (S256). A short-lived auth code (5-min TTL) is issued and encrypted.

3

Token Issued

The Portal mints a JWE token encrypted with an RSA public key. Only the MCP Server — holding the private key — can ever decrypt it.

4

Secure Access

The MCP Server validates the JWE, checks token revocation, enforces usage quotas, and proxies your request to Maximo.

Security at Every Layer

Defense-in-depth is not a buzzword here — it is the architecture.

OAuth 2.1 + PKCE

Authorization Code flow enforces PKCE with S256 — the OAuth 2.1 standard. Authorization codes are single-use, encrypted blobs with a 5-minute TTL.

JWE Token Encryption

Tokens are encrypted with RSA-OAEP-256 + A256GCM. The payload — including Maximo credentials — is opaque to every party except the MCP Server.

Zero-Knowledge Architecture

The Portal holds only the RSA public key and can never read or forge tokens. Even a compromised Portal cannot impersonate the MCP Server.

Token Revocation

Tokens are checked against a Redis revocation cache on every request. A circuit breaker ensures long-lived tokens always fail-closed if Redis is unavailable.

Rate Limiting

Failed authentication attempts are rate-limited per client with a configurable window and threshold, protecting against brute-force and credential stuffing.

Encrypted Credentials

Maximo API keys are encrypted with AES-128-CBC before being stored in Clerk user metadata. Raw credentials are never persisted.

Full Audit Logging

Every auth attempt and token use is recorded for compliance and forensics.

Security Headers

HSTS, CSP, X-Frame-Options, and Permissions-Policy enforced on every response.

Multi-Tenant Isolation

Each user's environments and credentials are strictly isolated at the data layer.

Long-Lived Automation Tokens

Generate non-expiring tokens for CI/CD pipelines and automation platforms.