MCP TypeScript SDK (V2) / @modelcontextprotocol/express / auth/bearerAuth
auth/bearerAuth
Interfaces
BearerAuthMiddlewareOptions
Defined in: middleware/express/src/auth/bearerAuth.ts:9
Options for requireBearerAuth.
Properties
requiredScopes?
optionalrequiredScopes?:string[]
Defined in: middleware/express/src/auth/bearerAuth.ts:19
Optional scopes that the token must have. When any are missing the middleware responds with 403 insufficient_scope.
resourceMetadataUrl?
optionalresourceMetadataUrl?:string
Defined in: middleware/express/src/auth/bearerAuth.ts:28
Optional Protected Resource Metadata URL to advertise in the WWW-Authenticate header on 401/403 responses, per RFC 9728.
Typically built with getOAuthProtectedResourceMetadataUrl.
verifier
verifier:
OAuthTokenVerifier
Defined in: middleware/express/src/auth/bearerAuth.ts:13
A verifier used to validate access tokens.
Functions
requireBearerAuth()
requireBearerAuth(
__namedParameters):RequestHandler
Defined in: middleware/express/src/auth/bearerAuth.ts:60
Express middleware that requires a valid Bearer token in the Authorization header.
The token is validated via the supplied OAuthTokenVerifier and the resulting AuthInfo (from @modelcontextprotocol/server) is attached to req.auth. The MCP Streamable HTTP transport reads req.auth and surfaces it to handlers as ctx.http.authInfo.
On failure the middleware sends a JSON OAuth error body and a WWW-Authenticate: Bearer … challenge that includes the configured resource_metadata URL so clients can discover the Authorization Server.
Parameters
__namedParameters
Returns
RequestHandler