
getmcpauth
from yilmazali325
Hosted OAuth 2.1 + Dynamic Client Registration (RFC 7591) for MCP servers
mcpauth
Drop-in OAuth 2.1 + Dynamic Client Registration (RFC 7591) for MCP servers, backed by mcpauth.
Wraps the official @modelcontextprotocol/sdk's requireBearerAuth middleware so unauthenticated or invalid requests get rejected with a spec-correct 401 before they ever reach your MCP server's handlers.
API
mcpAuth(options)โ Express middleware. Successful token verifications are cached in-process (default 30s) so a chatty agent conversation doesn't trigger a network round trip on every tool call.createMcpAuthHandler(options)โ the Next.js/Fetch-API equivalent above, returning a(request: Request) => Promise<Response>handler. Same caching behavior asmcpAuth().McpAuthTokenVerifierโ implements the official SDK'sOAuthTokenVerifierinterface directly, for lower-level use.mintToken(options)โ for MCP servers embedded in a product that already has its own users: your backend, which already knows who its logged-in user is, mints a token server-to-server without routing that user through mcpauth's own login.protectedResourceMetadata(options)/mcpAuthResourceMetadataHandler(options)โ RFC 9728 resource-metadata helpers.
Full docs: getmcpauth.dev/docs
npm install getmcpauthInstall
npm install getmcpauthUsage
import express from "express";
import { mcpAuth } from "getmcpauth";
const app = express();
app.use(
"/mcp",
mcpAuth({ registrationSecret: process.env.MCPAUTH_SECRET })
);
// Unauthenticated or invalid requests never reach this handler.
app.post("/mcp", handleMcpRequest);Get a registrationSecret by creating a project at getmcpauth.dev/dashboard โ it's your MCP server's credential for both Dynamic Client Registration and token verification.
MCP clients (Claude, ChatGPT, custom agent frameworks) then discover your auth setup automatically via /.well-known/oauth-authorization-server โ no manual client configuration needed.
Next.js (or any Fetch-API framework)
// app/api/mcp/route.ts
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { createMcpAuthHandler } from "getmcpauth";
const handler = createMcpAuthHandler({
registrationSecret: process.env.MCPAUTH_SECRET!,
buildServer: () => {
const server = new McpServer({ name: "my-server", version: "1.0.0" });
server.registerTool(/* ... */);
return server;
},
});
export { handler as GET, handler as POST, handler as DELETE };No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.
Licensed under MITโ you can use, modify, and redistribute it under that license's terms.
License
MIT