This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/server-legacy / auth/handlers/authorize

auth/handlers/authorize

Type Aliases

AuthorizationHandlerOptions

AuthorizationHandlerOptions = object

Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:12

Properties

issuerUrl?

optional issuerUrl?: URL

Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:21

The authorization server's issuer identifier. When set, the handler appends it as the iss query parameter (RFC 9207) to any redirect — success or error — that targets the client's validated redirect_uri, and also supplies it to the provider as AuthorizationParams.issuer. mcpAuthRouter always sets this from its issuerUrl.

provider

provider: OAuthServerProvider

Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:13

rateLimit?

optional rateLimit?: Partial<RateLimitOptions> | false

Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:26

Rate limiting configuration for the authorization endpoint. Set to false to disable rate limiting for this endpoint.

Functions

authorizationHandler()

authorizationHandler(__namedParameters): RequestHandler

Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:81

Parameters

__namedParameters

AuthorizationHandlerOptions

Returns

RequestHandler


redirectUriMatches()

redirectUriMatches(requested, registered): boolean

Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:41

Validates a requested redirect_uri against a registered one.

Per RFC 8252 §7.3 (OAuth 2.0 for Native Apps), authorization servers MUST allow any port for loopback redirect URIs (localhost, 127.0.0.1, [::1]) to accommodate native clients that obtain an ephemeral port from the OS. For non-loopback URIs, exact match is required.

Parameters

requested

string

registered

string

Returns

boolean

See

https://datatracker.ietf.org/doc/html/rfc8252#section-7.3