MCP TypeScript SDK (V2) / @modelcontextprotocol/server-legacy / auth/provider
auth/provider
Interfaces
OAuthServerProvider
Defined in: packages/server-legacy/src/auth/provider.ts:27
Implements an end-to-end OAuth server.
Properties
authorizationResponseIssParameterSupported?
optionalauthorizationResponseIssParameterSupported?:boolean
Defined in: packages/server-legacy/src/auth/provider.ts:91
Whether this provider's authorization responses carry the RFC 9207 iss parameter. Drives the authorization_response_iss_parameter_supported metadata field. Defaults to true — the bundled authorizationHandler appends iss to redirects it issues to the client's redirect_uri. Set to false when the callback is issued by an upstream authorization server this provider delegates to (e.g. ProxyOAuthServerProvider), so the published metadata does not over-claim support.
skipLocalPkceValidation?
optionalskipLocalPkceValidation?:boolean
Defined in: packages/server-legacy/src/auth/provider.ts:100
Whether to skip local PKCE validation.
If true, the server will not perform PKCE validation locally and will pass the code_verifier to the upstream server.
NOTE: This should only be true if the upstream server is performing the actual PKCE validation.
Accessors
clientsStore
Get Signature
get clientsStore():
OAuthRegisteredClientsStore
Defined in: packages/server-legacy/src/auth/provider.ts:31
A store used to read information about registered OAuth clients.
Returns
Methods
authorize()
authorize(
client,params,res):Promise<void>
Defined in: packages/server-legacy/src/auth/provider.ts:48
Begins the authorization flow, which can either be implemented by this server itself or via redirection to a separate authorization server.
This server must eventually issue a redirect with an authorization response or an error response to the given redirect URI. Per OAuth 2.1:
- In the successful case, the redirect MUST include the
codeandstate(if present) query parameters. - In the error case, the redirect MUST include the
errorquery parameter, and MAY include an optionalerror_descriptionquery parameter.
RFC 9207: the bundled authorizationHandler appends iss only to res.redirect(...) calls you issue on the supplied res to params.redirectUri, so an implementation that redirects that way requires no change. If you emit the Location header another way (e.g. res.writeHead(302, { Location: ... })), or issue the final callback redirect from a different response (e.g. after a separate consent step), append params.issuer as iss yourself, or set OAuthServerProvider.authorizationResponseIssParameterSupported to false so the metadata does not over-claim.
Parameters
client
application_type?
string = ...
OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.
client_id
string = ...
client_id_issued_at?
number = ...
client_name?
string = ...
client_secret?
string = ...
client_secret_expires_at?
number = ...
client_uri?
string = ...
contacts?
string[] = ...
grant_types?
string[] = ...
jwks?
any = ...
jwks_uri?
string = ...
logo_uri?
string = OptionalSafeUrlSchema
policy_uri?
string = ...
redirect_uris
string[] = ...
response_types?
string[] = ...
scope?
string = ...
software_id?
string = ...
software_statement?
string = ...
software_version?
string = ...
token_endpoint_auth_method?
string = ...
tos_uri?
string = OptionalSafeUrlSchema
params
res
Response
Returns
Promise<void>
challengeForAuthorizationCode()
challengeForAuthorizationCode(
client,authorizationCode):Promise<string>
Defined in: packages/server-legacy/src/auth/provider.ts:53
Returns the codeChallenge that was used when the indicated authorization began.
Parameters
client
application_type?
string = ...
OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.
client_id
string = ...
client_id_issued_at?
number = ...
client_name?
string = ...
client_secret?
string = ...
client_secret_expires_at?
number = ...
client_uri?
string = ...
contacts?
string[] = ...
grant_types?
string[] = ...
jwks?
any = ...
jwks_uri?
string = ...
logo_uri?
string = OptionalSafeUrlSchema
policy_uri?
string = ...
redirect_uris
string[] = ...
response_types?
string[] = ...
scope?
string = ...
software_id?
string = ...
software_statement?
string = ...
software_version?
string = ...
token_endpoint_auth_method?
string = ...
tos_uri?
string = OptionalSafeUrlSchema
authorizationCode
string
Returns
Promise<string>
exchangeAuthorizationCode()
exchangeAuthorizationCode(
client,authorizationCode,codeVerifier?,redirectUri?,resource?):Promise<{access_token:string;expires_in?:number;id_token?:string;refresh_token?:string;scope?:string;token_type:string; }>
Defined in: packages/server-legacy/src/auth/provider.ts:58
Exchanges an authorization code for an access token.
Parameters
client
application_type?
string = ...
OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.
client_id
string = ...
client_id_issued_at?
number = ...
client_name?
string = ...
client_secret?
string = ...
client_secret_expires_at?
number = ...
client_uri?
string = ...
contacts?
string[] = ...
grant_types?
string[] = ...
jwks?
any = ...
jwks_uri?
string = ...
logo_uri?
string = OptionalSafeUrlSchema
policy_uri?
string = ...
redirect_uris
string[] = ...
response_types?
string[] = ...
scope?
string = ...
software_id?
string = ...
software_statement?
string = ...
software_version?
string = ...
token_endpoint_auth_method?
string = ...
tos_uri?
string = OptionalSafeUrlSchema
authorizationCode
string
codeVerifier?
string
redirectUri?
string
resource?
URL
Returns
Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>
exchangeRefreshToken()
exchangeRefreshToken(
client,refreshToken,scopes?,resource?):Promise<{access_token:string;expires_in?:number;id_token?:string;refresh_token?:string;scope?:string;token_type:string; }>
Defined in: packages/server-legacy/src/auth/provider.ts:69
Exchanges a refresh token for an access token.
Parameters
client
application_type?
string = ...
OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.
client_id
string = ...
client_id_issued_at?
number = ...
client_name?
string = ...
client_secret?
string = ...
client_secret_expires_at?
number = ...
client_uri?
string = ...
contacts?
string[] = ...
grant_types?
string[] = ...
jwks?
any = ...
jwks_uri?
string = ...
logo_uri?
string = OptionalSafeUrlSchema
policy_uri?
string = ...
redirect_uris
string[] = ...
response_types?
string[] = ...
scope?
string = ...
software_id?
string = ...
software_statement?
string = ...
software_version?
string = ...
token_endpoint_auth_method?
string = ...
tos_uri?
string = OptionalSafeUrlSchema
refreshToken
string
scopes?
string[]
resource?
URL
Returns
Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>
revokeToken()?
optionalrevokeToken(client,request):Promise<void>
Defined in: packages/server-legacy/src/auth/provider.ts:81
Revokes an access or refresh token. If unimplemented, token revocation is not supported (not recommended).
If the given token is invalid or already revoked, this method should do nothing.
Parameters
client
application_type?
string = ...
OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.
client_id
string = ...
client_id_issued_at?
number = ...
client_name?
string = ...
client_secret?
string = ...
client_secret_expires_at?
number = ...
client_uri?
string = ...
contacts?
string[] = ...
grant_types?
string[] = ...
jwks?
any = ...
jwks_uri?
string = ...
logo_uri?
string = OptionalSafeUrlSchema
policy_uri?
string = ...
redirect_uris
string[] = ...
response_types?
string[] = ...
scope?
string = ...
software_id?
string = ...
software_statement?
string = ...
software_version?
string = ...
token_endpoint_auth_method?
string = ...
tos_uri?
string = OptionalSafeUrlSchema
request
token
string = ...
token_type_hint?
string = ...
Returns
Promise<void>
verifyAccessToken()
verifyAccessToken(
token):Promise<AuthInfo>
Defined in: packages/server-legacy/src/auth/provider.ts:74
Verifies an access token and returns information about it.
Parameters
token
string
Returns
Promise<AuthInfo>
OAuthTokenVerifier
Defined in: packages/server-legacy/src/auth/provider.ts:106
Slim implementation useful for token verification
Methods
verifyAccessToken()
verifyAccessToken(
token):Promise<AuthInfo>
Defined in: packages/server-legacy/src/auth/provider.ts:110
Verifies an access token and returns information about it.
Parameters
token
string
Returns
Promise<AuthInfo>
Type Aliases
AuthorizationParams
AuthorizationParams =
object
Defined in: packages/server-legacy/src/auth/provider.ts:7
Properties
codeChallenge
codeChallenge:
string
Defined in: packages/server-legacy/src/auth/provider.ts:10
issuer?
optionalissuer?:string
Defined in: packages/server-legacy/src/auth/provider.ts:21
The authorization server's own issuer identifier (the issuerUrl configured on mcpAuthRouter). Informational: the bundled authorizationHandler already appends this as the iss query parameter (RFC 9207 §2) to any res.redirect(...) your authorize() issues to redirectUri. You only need to append it yourself when the final callback redirect is issued from a different response (e.g. after a separate consent-page POST).
redirectUri
redirectUri:
string
Defined in: packages/server-legacy/src/auth/provider.ts:11
resource?
optionalresource?:URL
Defined in: packages/server-legacy/src/auth/provider.ts:12
scopes?
optionalscopes?:string[]
Defined in: packages/server-legacy/src/auth/provider.ts:9
state?
optionalstate?:string
Defined in: packages/server-legacy/src/auth/provider.ts:8