mcp-oauth-server is an OAuth 2.1 Authorization Server implementation that complies with the MCP Authorization Spec. It provides an OAuthServer instance that you can plug into an MCP workflow via the mcpAuthRouter, enabling dynamic client registration, authorization flows, and access token issuance in the context of MCP clients and resources. The server can run with in-memory storage for development or with a custom OAuthServerModel for production-grade databases, and it is designed to integrate smoothly with the MCP TypeScript SDK to manage authorization flows and consent screens.

To use it, install the server and run it in your Node.js environment. The repository exposes the OAuthServer class and the mcpAuthRouter middleware, which you mount into your Express app. The example in the repository demonstrates an in-memory setup behind an MCP server and includes a consent screen workflow. You can start the demo and then run a separate client to perform the authorization flow, enabling you to test token issuance, consent handling, and resource access within the MCP ecosystem.

Prerequisites:

• Node.js (recommended LTS) and npm or pnpm installed
• Basic familiarity with npm package installation and running Node.js apps

Step-by-step installation:

1. Ensure Node.js is installed. Verify with: node -v npm -v

2. Install the MCP OAuth server package from npm: npm install mcp-oauth-server@latest --save-exact

   or using yarn/pnpm if you prefer

3. Create a small server file to run the OAuth server, for example: // server.js import { OAuthServer } from 'mcp-oauth-server'; const oauthServer = new OAuthServer({ authorizationUrl: new URL('http://localhost:3000/consent'), scopesSupported: ['mcp:tools'], }); // integrate with mcpAuthRouter in your Express app as shown in the README

4. Run the server locally: node server.js

   Or use ts-node / your build setup if using TypeScript

5. (Optional) Try the example mentioned in the repository by following the Quick Start in the README to start the demo server and a client to authenticate.

Notes and tips:

• This server is designed to integrate with the MCP SDK and the mcpAuthRouter to expose OAuth endpoints under a base URL you configure.
• You can run with in-memory storage for development or provide your own OAuthServerModel for production persistence.
• If your clients do not follow the resource indicator conventions (RFC 8707) or particular scope requests, the server remains compatible due to its configurable options such as strictResource and default scopes.
• When deploying, ensure your issuerUrl/baseUrl/resourceServerUrl are accessible to MCP clients and any consent UI you host.
• If you encounter issues with token lifetimes or client registration, review the config options documented in the API Reference section of the README to adjust lifetimes, scopes, and resource validation behavior.