Skip to content
TesseraTESSERA

Identity for humans, workloads, and agents.

Tessera is an owner-operated OAuth 2.1, OIDC, and MCP authorization platform. Invite-only. Built for serious products.

Why agents change the shape
What it is

Tessera issues tokens for native mobile apps, web frontends, REST and GraphQL and MCP servers, background daemons, and agentic systems. It speaks Authorization Code with PKCE, Client Credentials, Refresh Token rotation, Token Exchange, Device Code, and JWT-Bearer. It does not speak Implicit and it does not speak ROPC, because the specs say not to. Every realm is row-level-isolated in Postgres. Every signing key rotates automatically. Every token is audience-bound to the resource that asked for it.

  • Specs

    OAuth 2.1, OIDC Core + Discovery + Front-Channel Logout, MCP authorization 2025-11-25, RFC 8693 Token Exchange, RFC 8628 Device Code, RFC 7523 JWT-Bearer, RFC 8707 resource indicators, RFC 9449 DPoP.

  • Surfaces

    iOS and Android, web, REST and GraphQL APIs, MCP servers, background daemons, agentic systems.

  • Posture

    Single issuer domain, path-routed realms, row-level isolation in Postgres, automated key rotation, audience-bound tokens, audit trail as a queryable output.

Agent auth

Agents are first-class principals.

An agent acting on a user’s behalf gets a scoped, audience-bound, audit-trailed token via RFC 8693 Token Exchange — the agent’s actions are distinguishable in the logs from the user’s direct actions, and sensitive operations require fresh step-up authorization from the human in the loop.

Third-party MCP clients like Claude.ai connect to MCP servers Tessera fronts using the standard MCP authorization 2025-11-25 flow, including client-initiated metadata discovery. No custom client configuration. No tokens forwarded to upstream APIs. Provenance you can audit.

Who it serves

Owner-operated infrastructure.

Tessera is not for sale. It powers the owner’s products and a small, curated set of invited tenants — peer shops, friend platforms, projects the owner already trusts. There is no self-serve signup, no per-MAU pricing, and no roadmap built around someone else’s quarter. If you are reading this because you saw “Sign in via Tessera” on another product, that is exactly the use case. If you are running your own constellation of apps and want to talk, an invite mechanism is coming.

Principles

Four commitments.

Conformance over cleverness.

Where the OAuth 2.1, OIDC, and MCP specs are prescriptive, Tessera follows them exactly. Where they leave room, the choice is written down in an ADR.

No per-MAU pricing, ever.

Cost scales with traffic, not with user count. The platform’s economics never punish a tenant for growing.

No token forwarding to upstream APIs.

MCP servers acting as clients to other services use their own credentials. Tokens issued for one resource stay bound to that resource.

Audit trail as a first-class output.

Every grant, every exchange, every step-up is logged with provenance and is queryable. Not a debugging convenience — an output.

Tessera. Owner-operated identity for serious products.

© 2026 William Kurth.