MCP TypeScript SDK (V2) / @modelcontextprotocol/express / auth/metadataRouter
auth/metadataRouter
Interfaces
AuthMetadataOptions
Defined in: middleware/express/src/auth/metadataRouter.ts:65
Options for mcpAuthMetadataRouter.
Properties
oauthMetadata
oauthMetadata:
object
Defined in: middleware/express/src/auth/metadataRouter.ts:71
Authorization Server metadata (RFC 8414) for the AS this MCP server relies on. Served at /.well-known/oauth-authorization-server so legacy clients that probe the resource origin still discover the AS.
Index Signature
[key: string]: unknown
authorization_endpoint
authorization_endpoint:
string=SafeUrlSchema
authorization_response_iss_parameter_supported?
optionalauthorization_response_iss_parameter_supported?:boolean
client_id_metadata_document_supported?
optionalclient_id_metadata_document_supported?:boolean
code_challenge_methods_supported?
optionalcode_challenge_methods_supported?:string[]
grant_types_supported?
optionalgrant_types_supported?:string[]
introspection_endpoint?
optionalintrospection_endpoint?:string
introspection_endpoint_auth_methods_supported?
optionalintrospection_endpoint_auth_methods_supported?:string[]
introspection_endpoint_auth_signing_alg_values_supported?
optionalintrospection_endpoint_auth_signing_alg_values_supported?:string[]
issuer
issuer:
string
registration_endpoint?
optionalregistration_endpoint?:string
response_modes_supported?
optionalresponse_modes_supported?:string[]
response_types_supported
response_types_supported:
string[]
revocation_endpoint?
optionalrevocation_endpoint?:string
revocation_endpoint_auth_methods_supported?
optionalrevocation_endpoint_auth_methods_supported?:string[]
revocation_endpoint_auth_signing_alg_values_supported?
optionalrevocation_endpoint_auth_signing_alg_values_supported?:string[]
scopes_supported?
optionalscopes_supported?:string[]
service_documentation?
optionalservice_documentation?:string
token_endpoint
token_endpoint:
string=SafeUrlSchema
token_endpoint_auth_methods_supported?
optionaltoken_endpoint_auth_methods_supported?:string[]
token_endpoint_auth_signing_alg_values_supported?
optionaltoken_endpoint_auth_signing_alg_values_supported?:string[]
resourceName?
optionalresourceName?:string
Defined in: middleware/express/src/auth/metadataRouter.ts:94
Optional human-readable name advertised as resource_name.
resourceServerUrl
resourceServerUrl:
URL
Defined in: middleware/express/src/auth/metadataRouter.ts:78
The public URL of this MCP server, used as the resource value in the Protected Resource Metadata document. Any path component is reflected in the well-known route per RFC 9728.
scopesSupported?
optionalscopesSupported?:string[]
Defined in: middleware/express/src/auth/metadataRouter.ts:89
Optional list of scopes this MCP server understands, advertised as scopes_supported.
serviceDocumentationUrl?
optionalserviceDocumentationUrl?:URL
Defined in: middleware/express/src/auth/metadataRouter.ts:83
Optional documentation URL advertised as resource_documentation.
Functions
allowedMethods()
allowedMethods(
allowed):RequestHandler
Defined in: middleware/express/src/auth/metadataRouter.ts:33
Express middleware that rejects HTTP methods not in the supplied allow-list with a 405 Method Not Allowed and an OAuth-style error body. Used by metadataHandler to restrict metadata endpoints to GET/OPTIONS.
Parameters
allowed
string[]
Returns
RequestHandler
getOAuthProtectedResourceMetadataUrl()
getOAuthProtectedResourceMetadataUrl(
serverUrl):string
Defined in: middleware/express/src/auth/metadataRouter.ts:149
Builds the RFC 9728 Protected Resource Metadata URL for a given MCP server URL by inserting /.well-known/oauth-protected-resource ahead of the path.
Parameters
serverUrl
URL
Returns
string
Example
getOAuthProtectedResourceMetadataUrl(new URL('https://api.example.com/mcp'))
// → 'https://api.example.com/.well-known/oauth-protected-resource/mcp'mcpAuthMetadataRouter()
mcpAuthMetadataRouter(
options):Router
Defined in: middleware/express/src/auth/metadataRouter.ts:116
Builds an Express router that serves the two OAuth discovery documents an MCP server acting purely as a Resource Server needs to expose:
/.well-known/oauth-protected-resource[/<path>]— RFC 9728 Protected Resource Metadata, derived from the supplied options./.well-known/oauth-authorization-server— RFC 8414 Authorization Server Metadata, passed through verbatim from AuthMetadataOptions.oauthMetadata.
Mount this router at the application root:
app.use(mcpAuthMetadataRouter({ oauthMetadata, resourceServerUrl }));Pair with requireBearerAuth on your /mcp route and pass getOAuthProtectedResourceMetadataUrl as its resourceMetadataUrl so unauthenticated clients can discover the AS from the 401 challenge.
Parameters
options
Returns
Router
metadataHandler()
metadataHandler(
metadata):RequestHandler
Defined in: middleware/express/src/auth/metadataRouter.ts:51
Builds a small Express router that serves the given OAuth metadata document at / as JSON, with permissive CORS and a GET/OPTIONS method allow-list.
Used by mcpAuthMetadataRouter for both the Authorization Server and Protected Resource metadata endpoints.
Parameters
metadata
{[key: string]: unknown; authorization_endpoint: string; authorization_response_iss_parameter_supported?: boolean; client_id_metadata_document_supported?: boolean; code_challenge_methods_supported?: string[]; grant_types_supported?: string[]; introspection_endpoint?: string; introspection_endpoint_auth_methods_supported?: string[]; introspection_endpoint_auth_signing_alg_values_supported?: string[]; issuer: string; registration_endpoint?: string; response_modes_supported?: string[]; response_types_supported: string[]; revocation_endpoint?: string; revocation_endpoint_auth_methods_supported?: string[]; revocation_endpoint_auth_signing_alg_values_supported?: string[]; scopes_supported?: string[]; service_documentation?: string; token_endpoint: string; token_endpoint_auth_methods_supported?: string[]; token_endpoint_auth_signing_alg_values_supported?: string[]; } | {[key: string]: unknown; authorization_details_types_supported?: string[]; authorization_servers?: string[]; bearer_methods_supported?: string[]; dpop_bound_access_tokens_required?: boolean; dpop_signing_alg_values_supported?: string[]; jwks_uri?: string; resource: string; resource_documentation?: string; resource_name?: string; resource_policy_uri?: string; resource_signing_alg_values_supported?: string[]; resource_tos_uri?: string; scopes_supported?: string[]; tls_client_certificate_bound_access_tokens?: boolean; }
Returns
RequestHandler