> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable enterprise-managed authorization

> Turn enterprise-managed authorization on for your tenant and choose the signing algorithm C1 uses.

<Warning>
  **Early access.** This feature is in early access, which means it's undergoing ongoing testing and development while we gather feedback, validate functionality, and improve outputs. Contact the C1 Support team if you'd like to try it out or share feedback.
</Warning>

Enabling enterprise-managed authorization exposes the admin surfaces for registering MCP servers, enabling scopes, and reviewing the issuance audit. It does not grant any user access on its own — you still register each server, enable its scopes, and bundle them into access profiles before access becomes requestable.

## Before you begin

* Enterprise-managed authorization is in early access. [Contact the C1 Support team](mailto:support@c1.ai) to have it enabled for your tenant. The toggle below is live only once C1 has enabled the operator rollout for your tenant.
* You need an admin role to change tenant settings.

## Enable enterprise-managed authorization for your tenant

<Steps>
  <Step>
    Go to **Settings** in the left navigation and select **Cross-App Access** under **AI**.
  </Step>

  <Step>
    Click **Edit** in the top right of the **Cross-App Access** section.
  </Step>

  <Step>
    Turn on the **Enable cross-app access** toggle.

    As the page notes, the issuer is live only when this is on *and* C1 has enabled the operator rollout for your tenant.
  </Step>

  <Step>
    Set the **Default signing algorithm**.

    This is the algorithm C1 uses to sign tokens for any MCP server that doesn't override it at the resource server level. The options are **ES256 (default)**, **EdDSA**, and **RS256**. The MCP server you issue tokens for verifies C1's signature at its own authorization server, so choose an algorithm that server can verify. ES256 is the default and the safest choice for broad compatibility; RS256 is also widely supported. EdDSA is available, but verification support is uneven across servers, so confirm the target server supports it before relying on it.
  </Step>

  <Step>
    Click **Save**.
  </Step>
</Steps>

## Where to go from here

* Ready to connect an MCP server? See [Register an MCP server](/product/admin/enterprise-managed-authorization/resource-servers).
* Want the full picture first? See the [enterprise-managed authorization overview](/product/admin/enterprise-managed-authorization/overview).