
MCP OAuth Sample
โ 4from raxITai
A sample MCP OAuth server implementation using Next.js, providing OAuth 2.1 authentication with Google and PostgreSQL.
MCP OAuth Sample on Vercel and Analytics
A production-ready MCP (Model Context Protocol) OAuth 2.1 server implementation built with Next.js 15, providing secure authentication and analytics for MCP clients.
Overview
This project was built using run-llama/mcp-nextjs as a reference implementation and significantly enhanced to be fully compliant with the MCP Authorization Specification or here.
Key Enhancements
โ
OAuth 2.1 Compliance - Full implementation of MCP authorization specification
โ
OAuth Refresh Tokens - Automatic token refresh for seamless user experience
โ
DIY Analytics Dashboard - Real-time analytics with security monitoring
โ
Enhanced Security - Comprehensive threat detection and monitoring
Screenshots
Dashboard

OAuth Usage Metrics

DIY Security Monitoring

MCP Clients Tools Usage

Features
- Complete OAuth 2.1 Server with PKCE and refresh token support
- MCP Authorization Flow compliant with latest MCP specification
- Analytics Dashboard with real-time security monitoring
- Google Authentication integration via NextAuth.js
- Dynamic Client Registration for seamless MCP client onboarding
- Security Monitoring with threat detection and alerting
- PostgreSQL Database with automated cleanup and TTL management
Documentation
๐ View Full Documentation - Interactive Material for MkDocs site
Local Documentation Development
# Serve documentation locally with hot reload
./docs-serve.sh
# Or on Windows
docs-serve.bat
# Manual setup
pip install -r requirements.txt
mkdocs serveMCP Specification Compliance
We have attempted to implement all the mandatory requirements specified in the MCP Authorization Specification.
What Makes This Different
- Discovery Endpoints - Proper RFC 8414 and RFC 9728 implementation
- Resource Parameter Support - RFC 8707 Resource Indicators implementation
- Token Audience Validation - Strict security boundary enforcement
- Refresh Token Flow - OAuth 2.1 compliant token refresh
- WWW-Authenticate Headers - Proper 401 response handling
- Dynamic Client Registration - RFC 7591 support for MCP clients
Quick Links
- Live Demo: mcp-oauth-sample.vercel.app (Analytics dashboard requires Gmail address allowlist)
- Analytics Dashboard:
/analytics(supports multiple Gmail addresses) - MCP Endpoints:
- SSE:
/mcp/sse - HTTP:
/mcp/mcp
- SSE:
- OAuth Discovery:
/.well-known/oauth-authorization-server
MCP Client Integration
For Claude Desktop/Web
{
"mcpServers": {
"raxIT-oauth": {
"url": "https://your-domain.com/mcp/sse",
"transport": "sse"
}
}
}For Cursor
{
"mcpServers": {
"raxIT-oauth": {
"url": "https://your-domain.com/mcp/mcp",
"transport": "http-stream"
}
}
}Support
- Issues: GitHub Issues
- Documentation: docs/
Built with โค๏ธ by raxIT AI
Based on run-llama/mcp-nextjs with enhancements to learn MCP authz.
# Install dependencies
pnpm install
# Setup environment variables (see docs/setup.md)
cp .env.example .env
# Setup database
pnpm prisma generate
pnpm prisma db push
# Start development server
pnpm devQuick Start
# Install dependencies
pnpm install
# Setup environment variables (see docs/setup.md)
cp .env.example .env
# Setup database
pnpm prisma generate
pnpm prisma db push
# Start development server
pnpm devNo common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.
Licensed under Apache-2.0โ you can use, modify, and redistribute it under that license's terms.
License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.