MCP TypeScript SDK (V2) / @modelcontextprotocol/server-legacy / auth/handlers/authorize
auth/handlers/authorize
Type Aliases
AuthorizationHandlerOptions
AuthorizationHandlerOptions =
object
Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:12
Properties
issuerUrl?
optionalissuerUrl?:URL
Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:21
The authorization server's issuer identifier. When set, the handler appends it as the iss query parameter (RFC 9207) to any redirect — success or error — that targets the client's validated redirect_uri, and also supplies it to the provider as AuthorizationParams.issuer. mcpAuthRouter always sets this from its issuerUrl.
provider
provider:
OAuthServerProvider
Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:13
rateLimit?
optionalrateLimit?:Partial<RateLimitOptions> |false
Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:26
Rate limiting configuration for the authorization endpoint. Set to false to disable rate limiting for this endpoint.
Functions
authorizationHandler()
authorizationHandler(
__namedParameters):RequestHandler
Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:81
Parameters
__namedParameters
Returns
RequestHandler
redirectUriMatches()
redirectUriMatches(
requested,registered):boolean
Defined in: packages/server-legacy/src/auth/handlers/authorize.ts:41
Validates a requested redirect_uri against a registered one.
Per RFC 8252 §7.3 (OAuth 2.0 for Native Apps), authorization servers MUST allow any port for loopback redirect URIs (localhost, 127.0.0.1, [::1]) to accommodate native clients that obtain an ephemeral port from the OS. For non-loopback URIs, exact match is required.
Parameters
requested
string
registered
string
Returns
boolean