This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/express / auth/types

auth/types

Interfaces

OAuthTokenVerifier

Defined in: middleware/express/src/auth/types.ts:13

Minimal token-verifier interface for MCP servers acting as an OAuth 2.0 Resource Server. Implementations introspect or locally validate an access token and return the resulting AuthInfo, which is then attached to the Express request and surfaced to MCP request handlers via ctx.http.authInfo.

This is intentionally narrower than a full OAuth Authorization Server provider — it only covers the verification step a Resource Server needs.

Methods

verifyAccessToken()

verifyAccessToken(token): Promise<AuthInfo>

Defined in: middleware/express/src/auth/types.ts:26

Verifies an access token and returns information about it.

Implementations should throw an OAuthError (from @modelcontextprotocol/server) with OAuthErrorCode.InvalidToken when the token is unknown, revoked, or otherwise invalid; requireBearerAuth maps that to a 401 with a WWW-Authenticate challenge.

Note: requireBearerAuth rejects tokens whose AuthInfo.expiresAt is unset (matches v1 behavior). Ensure your verifier populates it (e.g. from RFC 7662 introspection exp or the JWT exp claim).

Parameters
token

string

Returns

Promise<AuthInfo>