This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/express / auth/bearerAuth

auth/bearerAuth

Interfaces

BearerAuthMiddlewareOptions

Defined in: middleware/express/src/auth/bearerAuth.ts:9

Options for requireBearerAuth.

Properties

requiredScopes?

optional requiredScopes?: string[]

Defined in: middleware/express/src/auth/bearerAuth.ts:19

Optional scopes that the token must have. When any are missing the middleware responds with 403 insufficient_scope.

resourceMetadataUrl?

optional resourceMetadataUrl?: string

Defined in: middleware/express/src/auth/bearerAuth.ts:28

Optional Protected Resource Metadata URL to advertise in the WWW-Authenticate header on 401/403 responses, per RFC 9728.

Typically built with getOAuthProtectedResourceMetadataUrl.

verifier

verifier: OAuthTokenVerifier

Defined in: middleware/express/src/auth/bearerAuth.ts:13

A verifier used to validate access tokens.

Functions

requireBearerAuth()

requireBearerAuth(__namedParameters): RequestHandler

Defined in: middleware/express/src/auth/bearerAuth.ts:60

Express middleware that requires a valid Bearer token in the Authorization header.

The token is validated via the supplied OAuthTokenVerifier and the resulting AuthInfo (from @modelcontextprotocol/server) is attached to req.auth. The MCP Streamable HTTP transport reads req.auth and surfaces it to handlers as ctx.http.authInfo.

On failure the middleware sends a JSON OAuth error body and a WWW-Authenticate: Bearer … challenge that includes the configured resource_metadata URL so clients can discover the Authorization Server.

Parameters

__namedParameters

BearerAuthMiddlewareOptions

Returns

RequestHandler