docs

MCP Auth provides a ready-made authentication layer that you can plug into your MCP server to support OAuth 2.1 and OpenID Connect providers. It abstracts the provider interactions, token handling, and user session management so you can focus on your game logic and permissions. The toolset includes a provider-agnostic flow, so you can switch providers with minimal code changes, and it validates tokens against the chosen provider to ensure secure access control. Use the included configuration to connect to your provider, and expose an auth endpoint to your MCP server to obtain and verify user sessions.

Prerequisites:

• Node.js (14.x or later) and npm installed
• Access to an OAuth 2.1 or OpenID Connect provider (e.g., Google, Auth0, Okta) or a local provider for testing

Step 1: Install the MCP Auth package

npm install mcp-auth --save

Step 2: Configure environment variables Create a .env file or export variables in your environment:

OAUTH_PROVIDER=https://example-provider.com
CLIENT_ID=your-client-id
CLIENT_SECRET=your-client-secret
REDIRECT_URI=http://localhost:3000/callback
SESSION_SECRET=some-long-random-string

Step 3: Run the MCP Auth server

node server.js

Step 4: Integrate with your MCP server

• Import the MCP Auth module in your server initialization code
• Attach the auth middleware to routes that require authentication
• Use the verify-token helper to validate incoming tokens from clients

Example integration snippet (conceptual):

const mcpAuth = require('mcp-auth');
const app = require('express')();

// Initialize with your config
mcpAuth.init({ provider: process.env.OAUTH_PROVIDER, clientId: process.env.CLIENT_ID, clientSecret: process.env.CLIENT_SECRET, redirectUri: process.env.REDIRECT_URI });

// Protect a route
app.get('/secure', mcpAuth.ensureAuthenticated, (req, res) => {
  res.send('Secure content for ' + req.user.name);
});

Notes:

• Ensure redirect URIs are registered with your OAuth provider.
• Keep SESSION_SECRET secure and rotate credentials regularly.
• If you switch providers, update OAUTH_PROVIDER, CLIENT_ID, and CLIENT_SECRET accordingly; token validation remains provider-agnostic.
• For local testing, consider using a mock provider or a test tenant to avoid affecting production data.
• Review provider-specific scopes to ensure your app requests the required user information (e.g., profile, email).

Common issues:

• Mismatched redirect URI: double-check that the redirect URI in your provider settings matches your app.
• Invalid client credentials: verify CLIENT_ID and CLIENT_SECRET are correct and have appropriate permissions.
• Token signature errors: ensure the provider's JWKS endpoint is reachable and the algorithm is supported by your verifier.