Interface AuthOptions

Authentication configuration for the server.

Passed via ServerOptions.auth or McpServerBuilder.withAuthOptions().

Example: External OAuth provider (e.g. GitHub via SDK's ProxyOAuthServerProvider)

import { ProxyOAuthServerProvider } from '@modelcontextprotocol/sdk/server/auth/providers/proxyProvider.js';

const github = new ProxyOAuthServerProvider({ endpoints, verifyAccessToken, getClient });
createServer({
  name: 'my-server',
  version: '1.0.0',
  transport: { mode: 'http' },
  auth: {
    provider: github,
    issuerUrl: new URL('https://github.com'),
    requiredScopes: ['read:user'],
  },
});

Example: Custom header auth (e.g. X-API-Key)

createServer({
  name: 'my-server',
  version: '1.0.0',
  transport: { mode: 'http' },
  auth: {
    provider: myApiKeyVerifier,
    headerName: 'X-API-Key',
  },
});

Example: Token verification only (Bearer)

createServer({
  name: 'my-server',
  version: '1.0.0',
  transport: { mode: 'http' },
  auth: {
    provider: myJwtVerifier,
  },
});

interface AuthOptions {
    callbackHandler?: RequestHandler<
        ParamsDictionary,
        any,
        any,
        ParsedQs,
        Record<string, any>,
    >;
    headerName?: string;
    issuerUrl?: URL;
    onAuthenticated?: (
        authInfo: AuthInfo,
    ) => Promise<AuthenticatedExtra | undefined>;
    provider: AuthProvider;
    requiredScopes?: string[];
    resourceMetadataUrl?: string;
    scopeFilterCapabilities?: boolean;
}

Index

Properties

callbackHandler? headerName? issuerUrl? onAuthenticated? provider requiredScopes? resourceMetadataUrl? scopeFilterCapabilities?

Properties

`Optional` `Readonly`callbackHandler

callbackHandler?: RequestHandler<
    ParamsDictionary,
    any,
    any,
    ParsedQs,
    Record<string, any>,
>

Express handler for the OAuth callback route (GET /callback).

Required for OAuth providers that use server-side callbacks (e.g., GitHub, Google) where the upstream provider redirects back to the MCP server rather than directly to the MCP client.

The handler receives the authorization code from the upstream provider and redirects the user to the MCP client's redirect_uri.

Only effective when a full OAuth provider is configured.

`Optional` `Readonly`headerName

headerName?: string

Custom header name for token extraction.

When set, the framework extracts the token from this header instead of the standard Authorization: Bearer <token> header. Only allowed with TokenVerifier providers (not with full OAuth providers).

Example

`'X-API-Key'` — extracts the value of the `X-API-Key` header

`Optional` `Readonly`issuerUrl

issuerUrl?: URL

OAuth issuer URL (Authorization Server identifier).

Required for full OAuth providers. Used as the issuer in OAuth Authorization Server Metadata (RFC 8414). Must use HTTPS scheme and have no query or fragment components.

`Optional` `Readonly`onAuthenticated

onAuthenticated?: (
authInfo: AuthInfo,
) => Promise<AuthenticatedExtra | undefined>

Hook called after successful token verification.

Use this to map OAuth clientId/scopes to your own user model. The returned data is available in tool handlers via context.auth.extra.

Type Declaration

- (authInfo: AuthInfo): Promise<AuthenticatedExtra | undefined>
- Parameters
  - authInfo: AuthInfo
    Verified auth info from the token
  Returns Promise<AuthenticatedExtra | undefined>
  Extra data for context.auth.extra, or undefined

`Readonly`provider

provider: AuthProvider

Authentication provider (full OAuth or token verifier)

`Optional` `Readonly`requiredScopes

requiredScopes?: string[]

Global required scopes for the /mcp endpoint.

All requests to /mcp must have tokens with these scopes. Per-capability scopes can be set via requiredScopes on tool, resource, and prompt definitions.

`Optional` `Readonly`resourceMetadataUrl

resourceMetadataUrl?: string

Protected Resource Metadata URL (RFC 9728).

Included in WWW-Authenticate headers for 401 responses, allowing clients to discover the authorization server.

`Optional` `Readonly`scopeFilterCapabilities

scopeFilterCapabilities?: boolean

When true, capability list handlers (tools/list, resources/list, prompts/list) filter out entries whose requiredScopes are not satisfied by the requesting user's token.

Default: false (spec-konform — all capabilities are listed regardless of scopes). Enforcement always happens at execution time (403), independent of this setting.

Enable this for UIs that should only show actionable items to users.

Interface AuthOptions

Example: External OAuth provider (e.g. GitHub via SDK's ProxyOAuthServerProvider)

Example: Custom header auth (e.g. X-API-Key)

Example: Token verification only (Bearer)

Index

Properties

Properties

`Optional` `Readonly`callbackHandler

`Optional` `Readonly`headerName

Example

`Optional` `Readonly`issuerUrl

`Optional` `Readonly`onAuthenticated

Type Declaration

Parameters

Returns Promise<AuthenticatedExtra | undefined>

`Readonly`provider

`Optional` `Readonly`requiredScopes

`Optional` `Readonly`resourceMetadataUrl

`Optional` `Readonly`scopeFilterCapabilities

Settings

On This Page

Interface AuthOptions

Example: External OAuth provider (e.g. GitHub via SDK's ProxyOAuthServerProvider)

Example: Custom header auth (e.g. X-API-Key)

Example: Token verification only (Bearer)

Index

Properties

Properties

Optional ReadonlycallbackHandler

Optional ReadonlyheaderName

Example

Optional ReadonlyissuerUrl

Optional ReadonlyonAuthenticated

Type Declaration

Parameters

Returns Promise<AuthenticatedExtra | undefined>

Readonlyprovider

Optional ReadonlyrequiredScopes

Optional ReadonlyresourceMetadataUrl

Optional ReadonlyscopeFilterCapabilities

Settings

On This Page

`Optional` `Readonly`callbackHandler

`Optional` `Readonly`headerName

`Optional` `Readonly`issuerUrl

`Optional` `Readonly`onAuthenticated

`Readonly`provider

`Optional` `Readonly`requiredScopes

`Optional` `Readonly`resourceMetadataUrl

`Optional` `Readonly`scopeFilterCapabilities