getmcpauth

OAuth 2.1 alojado + Registro Dinámico de Clientes (RFC 7591) para servidores MCP

Documentación

mcpauth

npm version npm downloads license

Drop-in OAuth 2.1 + Dynamic Client Registration (RFC 7591) for MCP servers, backed by mcpauth.

Wraps the official @modelcontextprotocol/sdk's requireBearerAuth middleware so unauthenticated or invalid requests get rejected with a spec-correct 401 before they ever reach your MCP server's handlers.

Install

npm install getmcpauth

Usage

import express from "express";
import { mcpAuth } from "getmcpauth";

const app = express();

app.use(
  "/mcp",
  mcpAuth({ registrationSecret: process.env.MCPAUTH_SECRET })
);

// Unauthenticated or invalid requests never reach this handler.
app.post("/mcp", handleMcpRequest);

Get a registrationSecret by creating a project at getmcpauth.dev/dashboard — it's your MCP server's credential for both Dynamic Client Registration and token verification.

MCP clients (Claude, ChatGPT, custom agent frameworks) then discover your auth setup automatically via /.well-known/oauth-authorization-server — no manual client configuration needed.

Next.js (or any Fetch-API framework)

// app/api/mcp/route.ts
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { createMcpAuthHandler } from "getmcpauth";

const handler = createMcpAuthHandler({
  registrationSecret: process.env.MCPAUTH_SECRET!,
  buildServer: () => {
    const server = new McpServer({ name: "my-server", version: "1.0.0" });
    server.registerTool(/* ... */);
    return server;
  },
});

export { handler as GET, handler as POST, handler as DELETE };

API

  • mcpAuth(options) — Express middleware. Successful token verifications are cached in-process (default 30s) so a chatty agent conversation doesn't trigger a network round trip on every tool call.
  • createMcpAuthHandler(options) — the Next.js/Fetch-API equivalent above, returning a (request: Request) => Promise<Response> handler. Same caching behavior as mcpAuth().
  • McpAuthTokenVerifier — implements the official SDK's OAuthTokenVerifier interface directly, for lower-level use.
  • mintToken(options) — for MCP servers embedded in a product that already has its own users: your backend, which already knows who its logged-in user is, mints a token server-to-server without routing that user through mcpauth's own login.
  • protectedResourceMetadata(options) / mcpAuthResourceMetadataHandler(options) — RFC 9728 resource-metadata helpers.

Full docs: getmcpauth.dev/docs

License

MIT