MCP Server Connection Creation Fails Silently When Using Client Credentials Grant Type in AI Agent StudioIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } We are unable to add the MCP server when the grant type is selected as Client Credentials. The Add button is not working, but if the grant type is set to Authorization Code, it works fine. The issue is observed in AI Agent Studio when connecting to the MCP Server.Steps to Reproduce: Navigate to /now/agent-studio/manage-mcp-serversClick NewSelect OAuth 2.1Click NextSelect Client Credentials and fill in the required detailsClick Add Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Zurich Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The other grant types are not supported for the following reasons: Client Credentials, JWT Bearer, and ROPC are machine-to-machine authentication flows and do not provide the user identity context required by the MCP Server to: * Evaluate ACLs * Enforce record-level security * Authorize tool access As a result, although the OAuth token may be retrieved successfully, the MCP tools themselves cannot be loaded afterwards. Third-party OIDC ID Token is intended for federated identity assertion and does not generate the OAuth access token flow expected during the MCP client-server handshake. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Configure the MCP Server OAuth connection using the Authorization Code grant type instead of the Client Credentials grant type when creating MCP Server connections through AI Agent Studio Additionally, the fix included: SR - Agentic AI - Now Assist AI Agents - v7.0 (ZP7) changes the behaviour from a silent failure to a meaningful, informative error message. This means: * The fix does not add support for the Client Credentials grant type.* Instead, it ensures users receive a proper error message explaining the unsupported configuration. The underlying correction in DEF0802062 addresses the "use_pkce" flag so the OAuth token request is constructed correctly. However, even after successful token acquisition, the MCP Server still rejects the connection because Client Credentials do not provide the required user identity context. This limitation is currently by design rather than a product defect. On a fully patched ZP7 instance, the expected behaviour is therefore: * Token acquisition succeeds. * MCP Server connection still fails due to unsupported grant type usage. * A meaningful error message is displayed instead of a silent failure.* The message guides the user toward using the Authorization Code grant type. Regardless of patch level, the overall outcome remains the same because Client Credentials is not currently supported for AI Agent Studio to MCP Server connections.