I would like to clarify the OAuth authentication requirements for the Google BigQuery remote MCP server.
Endpoint:
https://bigquery.googleapis.com/mcp
Context:
When connecting to this endpoint from MCP clients such as Claude, users may be asked to provide an OAuth Client ID and Client Secret.
Since the BigQuery MCP server is a Google-hosted remote MCP server, my understanding is that an end user should be able to authenticate with their Google account via OAuth, and then access BigQuery resources for which that user has the required IAM permissions.
In that model, it seems unnecessary for each end user to provide their own OAuth Client ID and Client Secret. Instead, I would expect the MCP client application, or a SaaS application integrating with this server, to use its own Google OAuth client managed by the application, while each end user only completes the normal Google OAuth consent flow.
Could someone clarify the following?
-
When using the BigQuery remote MCP server, does the MCP client need to provide its own OAuth Client ID and Client Secret?
-
If so, is this a requirement or limitation of the Google BigQuery MCP server itself, or is it an implementation/operational choice of specific clients such as Claude?
-
Is it supported for a SaaS application to use a Google OAuth client managed by the SaaS provider, while end users only go through the normal Google OAuth consent flow?
-
In that setup, can the authenticated end user access BigQuery resources in another Google Cloud Project where that user has the required IAM permissions?
-
What is the recommended OAuth configuration, required scopes, and any important caveats when integrating the BigQuery remote MCP server into a SaaS application?
Any links to official documentation would also be appreciated.