ext-auth

The MCP Authorization Extensions provide additive, optional mechanisms to control access within the Model Context Protocol ecosystem. This extension set focuses on authorization flows and policy enforcement, including support for Client Credentials and Enterprise-Managed Authorization. When you run the ext-auth server, it will handle token issuance and validation, and it can be integrated with MCP clients and resource servers to enforce access decisions based on the extensions' rules. The server exposes endpoints and utilities that let you request access tokens, validate tokens presented by clients, and inspect or enforce entitlements defined by administrators. Expect to leverage these capabilities to implement OAuth 2.0-style client credentials flows and organization-wide authorization policies within your MCP deployments.

Typical workflows include: (1) a client obtains an access token using client credentials, (2) a resource checks the token with the ext-auth server to ensure the caller has the required scopes/entitlements, and (3) an administrator configures enterprise-level authorization policies that the ext-auth server enforces across MCP interactions. The tooling focuses on token management, policy evaluation, and visibility into authorization decisions to facilitate secure, scalable interoperation between MCP participants.

Prerequisites:

• Node.js (14.x or newer) and npm installed on your system
• Basic familiarity with running Node.js apps

1. Clone the repository or download the ext-auth distribution

2. Install dependencies

git clone https://github.com/modelcontextprotocol/modelcontextprotocol-ext-auth.git
cd modelcontextprotocol-ext-auth
npm install

3. Configure environment variables (examples below)

# Port the service will listen on
export PORT=5000
# Enable or disable authorization modes supported by this build
export AUTH_MODES=client_credentials,enterprise_managed
# Logging level
export LOG_LEVEL=info

4. Run the server

npm start

5. (Optional) Run with Docker

# Build the image (if a Dockerfile is provided in the repo)
docker build -t ext-auth:latest .
# Run the container
docker run -p 5000:5000 -e PORT=5000 -e AUTH_MODES=client_credentials,enterprise_managed ext-auth:latest

6. Validate startup

• Verify the service is listening on the configured port
• Check logs for initialization messages and any policy load confirmations

Tips and common considerations:

• The extension is Optional and Additive; it should integrate alongside your core MCP stack without altering core protocol behavior.
• If your deployment requires enterprise-wide policies, configure enterprise_managed policies in the ext-auth server and ensure your MCP clients can reference the policy endpoints.
• Validate error handling: ensure token validation failures return meaningful responses and do not leak sensitive information.
• Use environment variables to toggle features during deployment (e.g., enable/disable client_credentials mode, adjust log levels).
• Review MAINTAINERS.md and governance documents in this repository for guidance on extensions-specific configuration and maintenance practices.