stacklok · jhrozek · Dec 1, 2025 · Dec 1, 2025
diff --git a/pkg/vmcp/config/validator.go b/pkg/vmcp/config/validator.go
@@ -94,14 +94,15 @@ func (v *DefaultValidator) validateIncomingAuth(auth *IncomingAuthConfig) error
 return fmt.Errorf("incoming_auth.oidc.issuer is required")
 }
 
-if auth.OIDC.ClientID == "" {
-return fmt.Errorf("incoming_auth.oidc.client_id is required")
-}
-
 if auth.OIDC.Audience == "" {
 return fmt.Errorf("incoming_auth.oidc.audience is required")
 }
 
+// ClientID is optional - only required for specific flows:
+// - Token introspection with client credentials
+// - Some OAuth flows requiring client identification
+// Not required for standard JWT validation using JWKS
+
 // ClientSecretEnv is optional - some OIDC flows don't require client secrets:
 // - PKCE flows (public clients)
 // - Token validation without introspection

diff --git a/pkg/vmcp/config/validator_test.go b/pkg/vmcp/config/validator_test.go
@@ -140,6 +140,17 @@ func TestValidator_ValidateIncomingAuth(t *testing.T) {
 },
 wantErr: false,
 },
+{
+name: "valid OIDC auth without client_id (JWT validation only)",
+auth: &IncomingAuthConfig{
+Type: "oidc",
+OIDC: &OIDCConfig{
+Issuer: "https://example.com",
+Audience: "vmcp",
+},
+},
+wantErr: false,
+},
 {
 name: "invalid auth type",
 auth: &IncomingAuthConfig{