Labsco
raxITai logo

MCP OAuth Sample

โ˜… 4

from raxITai

A sample MCP OAuth server implementation using Next.js, providing OAuth 2.1 authentication with Google and PostgreSQL.

๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedFreeAdvanced setup

MCP OAuth Sample on Vercel and Analytics

A production-ready MCP (Model Context Protocol) OAuth 2.1 server implementation built with Next.js 15, providing secure authentication and analytics for MCP clients.

Overview

This project was built using run-llama/mcp-nextjs as a reference implementation and significantly enhanced to be fully compliant with the MCP Authorization Specification or here.

Key Enhancements

โœ… OAuth 2.1 Compliance - Full implementation of MCP authorization specification
โœ… OAuth Refresh Tokens - Automatic token refresh for seamless user experience
โœ… DIY Analytics Dashboard - Real-time analytics with security monitoring
โœ… Enhanced Security - Comprehensive threat detection and monitoring

Screenshots

Dashboard

Dashboard

OAuth Usage Metrics

OAuth Usage

DIY Security Monitoring

Security Monitoring

MCP Clients Tools Usage

MCP Integration

Features

  • Complete OAuth 2.1 Server with PKCE and refresh token support
  • MCP Authorization Flow compliant with latest MCP specification
  • Analytics Dashboard with real-time security monitoring
  • Google Authentication integration via NextAuth.js
  • Dynamic Client Registration for seamless MCP client onboarding
  • Security Monitoring with threat detection and alerting
  • PostgreSQL Database with automated cleanup and TTL management

Documentation

๐Ÿ“š View Full Documentation - Interactive Material for MkDocs site

Local Documentation Development

# Serve documentation locally with hot reload
./docs-serve.sh

# Or on Windows
docs-serve.bat

# Manual setup
pip install -r requirements.txt
mkdocs serve

MCP Specification Compliance

We have attempted to implement all the mandatory requirements specified in the MCP Authorization Specification.

What Makes This Different

  • Discovery Endpoints - Proper RFC 8414 and RFC 9728 implementation
  • Resource Parameter Support - RFC 8707 Resource Indicators implementation
  • Token Audience Validation - Strict security boundary enforcement
  • Refresh Token Flow - OAuth 2.1 compliant token refresh
  • WWW-Authenticate Headers - Proper 401 response handling
  • Dynamic Client Registration - RFC 7591 support for MCP clients
  • Live Demo: mcp-oauth-sample.vercel.app (Analytics dashboard requires Gmail address allowlist)
  • Analytics Dashboard: /analytics (supports multiple Gmail addresses)
  • MCP Endpoints:
    • SSE: /mcp/sse
    • HTTP: /mcp/mcp
  • OAuth Discovery: /.well-known/oauth-authorization-server

MCP Client Integration

For Claude Desktop/Web

{
  "mcpServers": {
    "raxIT-oauth": {
      "url": "https://your-domain.com/mcp/sse",
      "transport": "sse"
    }
  }
}

For Cursor

{
  "mcpServers": {
    "raxIT-oauth": {
      "url": "https://your-domain.com/mcp/mcp", 
      "transport": "http-stream"
    }
  }
}

Support


Built with โค๏ธ by raxIT AI

Based on run-llama/mcp-nextjs with enhancements to learn MCP authz.