This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/express / auth/metadataRouter

auth/metadataRouter

Interfaces

AuthMetadataOptions

Defined in: middleware/express/src/auth/metadataRouter.ts:65

Options for mcpAuthMetadataRouter.

Properties

oauthMetadata

oauthMetadata: object

Defined in: middleware/express/src/auth/metadataRouter.ts:71

Authorization Server metadata (RFC 8414) for the AS this MCP server relies on. Served at /.well-known/oauth-authorization-server so legacy clients that probe the resource origin still discover the AS.

Index Signature

[key: string]: unknown

authorization_endpoint

authorization_endpoint: string = SafeUrlSchema

authorization_response_iss_parameter_supported?

optional authorization_response_iss_parameter_supported?: boolean

client_id_metadata_document_supported?

optional client_id_metadata_document_supported?: boolean

code_challenge_methods_supported?

optional code_challenge_methods_supported?: string[]

grant_types_supported?

optional grant_types_supported?: string[]

introspection_endpoint?

optional introspection_endpoint?: string

introspection_endpoint_auth_methods_supported?

optional introspection_endpoint_auth_methods_supported?: string[]

introspection_endpoint_auth_signing_alg_values_supported?

optional introspection_endpoint_auth_signing_alg_values_supported?: string[]

issuer

issuer: string

registration_endpoint?

optional registration_endpoint?: string

response_modes_supported?

optional response_modes_supported?: string[]

response_types_supported

response_types_supported: string[]

revocation_endpoint?

optional revocation_endpoint?: string

revocation_endpoint_auth_methods_supported?

optional revocation_endpoint_auth_methods_supported?: string[]

revocation_endpoint_auth_signing_alg_values_supported?

optional revocation_endpoint_auth_signing_alg_values_supported?: string[]

scopes_supported?

optional scopes_supported?: string[]

service_documentation?

optional service_documentation?: string

token_endpoint

token_endpoint: string = SafeUrlSchema

token_endpoint_auth_methods_supported?

optional token_endpoint_auth_methods_supported?: string[]

token_endpoint_auth_signing_alg_values_supported?

optional token_endpoint_auth_signing_alg_values_supported?: string[]

resourceName?

optional resourceName?: string

Defined in: middleware/express/src/auth/metadataRouter.ts:94

Optional human-readable name advertised as resource_name.

resourceServerUrl

resourceServerUrl: URL

Defined in: middleware/express/src/auth/metadataRouter.ts:78

The public URL of this MCP server, used as the resource value in the Protected Resource Metadata document. Any path component is reflected in the well-known route per RFC 9728.

scopesSupported?

optional scopesSupported?: string[]

Defined in: middleware/express/src/auth/metadataRouter.ts:89

Optional list of scopes this MCP server understands, advertised as scopes_supported.

serviceDocumentationUrl?

optional serviceDocumentationUrl?: URL

Defined in: middleware/express/src/auth/metadataRouter.ts:83

Optional documentation URL advertised as resource_documentation.

Functions

allowedMethods()

allowedMethods(allowed): RequestHandler

Defined in: middleware/express/src/auth/metadataRouter.ts:33

Express middleware that rejects HTTP methods not in the supplied allow-list with a 405 Method Not Allowed and an OAuth-style error body. Used by metadataHandler to restrict metadata endpoints to GET/OPTIONS.

Parameters

allowed

string[]

Returns

RequestHandler


getOAuthProtectedResourceMetadataUrl()

getOAuthProtectedResourceMetadataUrl(serverUrl): string

Defined in: middleware/express/src/auth/metadataRouter.ts:149

Builds the RFC 9728 Protected Resource Metadata URL for a given MCP server URL by inserting /.well-known/oauth-protected-resource ahead of the path.

Parameters

serverUrl

URL

Returns

string

Example

ts
getOAuthProtectedResourceMetadataUrl(new URL('https://api.example.com/mcp'))
// → 'https://api.example.com/.well-known/oauth-protected-resource/mcp'

mcpAuthMetadataRouter()

mcpAuthMetadataRouter(options): Router

Defined in: middleware/express/src/auth/metadataRouter.ts:116

Builds an Express router that serves the two OAuth discovery documents an MCP server acting purely as a Resource Server needs to expose:

  • /.well-known/oauth-protected-resource[/<path>] — RFC 9728 Protected Resource Metadata, derived from the supplied options.
  • /.well-known/oauth-authorization-server — RFC 8414 Authorization Server Metadata, passed through verbatim from AuthMetadataOptions.oauthMetadata.

Mount this router at the application root:

ts
app.use(mcpAuthMetadataRouter({ oauthMetadata, resourceServerUrl }));

Pair with requireBearerAuth on your /mcp route and pass getOAuthProtectedResourceMetadataUrl as its resourceMetadataUrl so unauthenticated clients can discover the AS from the 401 challenge.

Parameters

options

AuthMetadataOptions

Returns

Router


metadataHandler()

metadataHandler(metadata): RequestHandler

Defined in: middleware/express/src/auth/metadataRouter.ts:51

Builds a small Express router that serves the given OAuth metadata document at / as JSON, with permissive CORS and a GET/OPTIONS method allow-list.

Used by mcpAuthMetadataRouter for both the Authorization Server and Protected Resource metadata endpoints.

Parameters

metadata

{[key: string]: unknown; authorization_endpoint: string; authorization_response_iss_parameter_supported?: boolean; client_id_metadata_document_supported?: boolean; code_challenge_methods_supported?: string[]; grant_types_supported?: string[]; introspection_endpoint?: string; introspection_endpoint_auth_methods_supported?: string[]; introspection_endpoint_auth_signing_alg_values_supported?: string[]; issuer: string; registration_endpoint?: string; response_modes_supported?: string[]; response_types_supported: string[]; revocation_endpoint?: string; revocation_endpoint_auth_methods_supported?: string[]; revocation_endpoint_auth_signing_alg_values_supported?: string[]; scopes_supported?: string[]; service_documentation?: string; token_endpoint: string; token_endpoint_auth_methods_supported?: string[]; token_endpoint_auth_signing_alg_values_supported?: string[]; } | {[key: string]: unknown; authorization_details_types_supported?: string[]; authorization_servers?: string[]; bearer_methods_supported?: string[]; dpop_bound_access_tokens_required?: boolean; dpop_signing_alg_values_supported?: string[]; jwks_uri?: string; resource: string; resource_documentation?: string; resource_name?: string; resource_policy_uri?: string; resource_signing_alg_values_supported?: string[]; resource_tos_uri?: string; scopes_supported?: string[]; tls_client_certificate_bound_access_tokens?: boolean; }

Returns

RequestHandler