This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/server-legacy / auth/provider

auth/provider

Interfaces

OAuthServerProvider

Defined in: packages/server-legacy/src/auth/provider.ts:27

Implements an end-to-end OAuth server.

Properties

authorizationResponseIssParameterSupported?

optional authorizationResponseIssParameterSupported?: boolean

Defined in: packages/server-legacy/src/auth/provider.ts:91

Whether this provider's authorization responses carry the RFC 9207 iss parameter. Drives the authorization_response_iss_parameter_supported metadata field. Defaults to true — the bundled authorizationHandler appends iss to redirects it issues to the client's redirect_uri. Set to false when the callback is issued by an upstream authorization server this provider delegates to (e.g. ProxyOAuthServerProvider), so the published metadata does not over-claim support.

skipLocalPkceValidation?

optional skipLocalPkceValidation?: boolean

Defined in: packages/server-legacy/src/auth/provider.ts:100

Whether to skip local PKCE validation.

If true, the server will not perform PKCE validation locally and will pass the code_verifier to the upstream server.

NOTE: This should only be true if the upstream server is performing the actual PKCE validation.

Accessors

clientsStore
Get Signature

get clientsStore(): OAuthRegisteredClientsStore

Defined in: packages/server-legacy/src/auth/provider.ts:31

A store used to read information about registered OAuth clients.

Returns

OAuthRegisteredClientsStore

Methods

authorize()

authorize(client, params, res): Promise<void>

Defined in: packages/server-legacy/src/auth/provider.ts:48

Begins the authorization flow, which can either be implemented by this server itself or via redirection to a separate authorization server.

This server must eventually issue a redirect with an authorization response or an error response to the given redirect URI. Per OAuth 2.1:

  • In the successful case, the redirect MUST include the code and state (if present) query parameters.
  • In the error case, the redirect MUST include the error query parameter, and MAY include an optional error_description query parameter.

RFC 9207: the bundled authorizationHandler appends iss only to res.redirect(...) calls you issue on the supplied res to params.redirectUri, so an implementation that redirects that way requires no change. If you emit the Location header another way (e.g. res.writeHead(302, { Location: ... })), or issue the final callback redirect from a different response (e.g. after a separate consent step), append params.issuer as iss yourself, or set OAuthServerProvider.authorizationResponseIssParameterSupported to false so the metadata does not over-claim.

Parameters
client
application_type?

string = ...

OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.

client_id

string = ...

client_id_issued_at?

number = ...

client_name?

string = ...

client_secret?

string = ...

client_secret_expires_at?

number = ...

client_uri?

string = ...

contacts?

string[] = ...

grant_types?

string[] = ...

jwks?

any = ...

jwks_uri?

string = ...

logo_uri?

string = OptionalSafeUrlSchema

policy_uri?

string = ...

redirect_uris

string[] = ...

response_types?

string[] = ...

scope?

string = ...

software_id?

string = ...

software_statement?

string = ...

software_version?

string = ...

token_endpoint_auth_method?

string = ...

tos_uri?

string = OptionalSafeUrlSchema

params

AuthorizationParams

res

Response

Returns

Promise<void>

challengeForAuthorizationCode()

challengeForAuthorizationCode(client, authorizationCode): Promise<string>

Defined in: packages/server-legacy/src/auth/provider.ts:53

Returns the codeChallenge that was used when the indicated authorization began.

Parameters
client
application_type?

string = ...

OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.

client_id

string = ...

client_id_issued_at?

number = ...

client_name?

string = ...

client_secret?

string = ...

client_secret_expires_at?

number = ...

client_uri?

string = ...

contacts?

string[] = ...

grant_types?

string[] = ...

jwks?

any = ...

jwks_uri?

string = ...

logo_uri?

string = OptionalSafeUrlSchema

policy_uri?

string = ...

redirect_uris

string[] = ...

response_types?

string[] = ...

scope?

string = ...

software_id?

string = ...

software_statement?

string = ...

software_version?

string = ...

token_endpoint_auth_method?

string = ...

tos_uri?

string = OptionalSafeUrlSchema

authorizationCode

string

Returns

Promise<string>

exchangeAuthorizationCode()

exchangeAuthorizationCode(client, authorizationCode, codeVerifier?, redirectUri?, resource?): Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>

Defined in: packages/server-legacy/src/auth/provider.ts:58

Exchanges an authorization code for an access token.

Parameters
client
application_type?

string = ...

OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.

client_id

string = ...

client_id_issued_at?

number = ...

client_name?

string = ...

client_secret?

string = ...

client_secret_expires_at?

number = ...

client_uri?

string = ...

contacts?

string[] = ...

grant_types?

string[] = ...

jwks?

any = ...

jwks_uri?

string = ...

logo_uri?

string = OptionalSafeUrlSchema

policy_uri?

string = ...

redirect_uris

string[] = ...

response_types?

string[] = ...

scope?

string = ...

software_id?

string = ...

software_statement?

string = ...

software_version?

string = ...

token_endpoint_auth_method?

string = ...

tos_uri?

string = OptionalSafeUrlSchema

authorizationCode

string

codeVerifier?

string

redirectUri?

string

resource?

URL

Returns

Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>

exchangeRefreshToken()

exchangeRefreshToken(client, refreshToken, scopes?, resource?): Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>

Defined in: packages/server-legacy/src/auth/provider.ts:69

Exchanges a refresh token for an access token.

Parameters
client
application_type?

string = ...

OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.

client_id

string = ...

client_id_issued_at?

number = ...

client_name?

string = ...

client_secret?

string = ...

client_secret_expires_at?

number = ...

client_uri?

string = ...

contacts?

string[] = ...

grant_types?

string[] = ...

jwks?

any = ...

jwks_uri?

string = ...

logo_uri?

string = OptionalSafeUrlSchema

policy_uri?

string = ...

redirect_uris

string[] = ...

response_types?

string[] = ...

scope?

string = ...

software_id?

string = ...

software_statement?

string = ...

software_version?

string = ...

token_endpoint_auth_method?

string = ...

tos_uri?

string = OptionalSafeUrlSchema

refreshToken

string

scopes?

string[]

resource?

URL

Returns

Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>

revokeToken()?

optional revokeToken(client, request): Promise<void>

Defined in: packages/server-legacy/src/auth/provider.ts:81

Revokes an access or refresh token. If unimplemented, token revocation is not supported (not recommended).

If the given token is invalid or already revoked, this method should do nothing.

Parameters
client
application_type?

string = ...

OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.

client_id

string = ...

client_id_issued_at?

number = ...

client_name?

string = ...

client_secret?

string = ...

client_secret_expires_at?

number = ...

client_uri?

string = ...

contacts?

string[] = ...

grant_types?

string[] = ...

jwks?

any = ...

jwks_uri?

string = ...

logo_uri?

string = OptionalSafeUrlSchema

policy_uri?

string = ...

redirect_uris

string[] = ...

response_types?

string[] = ...

scope?

string = ...

software_id?

string = ...

software_statement?

string = ...

software_version?

string = ...

token_endpoint_auth_method?

string = ...

tos_uri?

string = OptionalSafeUrlSchema

request
token

string = ...

token_type_hint?

string = ...

Returns

Promise<void>

verifyAccessToken()

verifyAccessToken(token): Promise<AuthInfo>

Defined in: packages/server-legacy/src/auth/provider.ts:74

Verifies an access token and returns information about it.

Parameters
token

string

Returns

Promise<AuthInfo>


OAuthTokenVerifier

Defined in: packages/server-legacy/src/auth/provider.ts:106

Slim implementation useful for token verification

Methods

verifyAccessToken()

verifyAccessToken(token): Promise<AuthInfo>

Defined in: packages/server-legacy/src/auth/provider.ts:110

Verifies an access token and returns information about it.

Parameters
token

string

Returns

Promise<AuthInfo>

Type Aliases

AuthorizationParams

AuthorizationParams = object

Defined in: packages/server-legacy/src/auth/provider.ts:7

Properties

codeChallenge

codeChallenge: string

Defined in: packages/server-legacy/src/auth/provider.ts:10

issuer?

optional issuer?: string

Defined in: packages/server-legacy/src/auth/provider.ts:21

The authorization server's own issuer identifier (the issuerUrl configured on mcpAuthRouter). Informational: the bundled authorizationHandler already appends this as the iss query parameter (RFC 9207 §2) to any res.redirect(...) your authorize() issues to redirectUri. You only need to append it yourself when the final callback redirect is issued from a different response (e.g. after a separate consent-page POST).

redirectUri

redirectUri: string

Defined in: packages/server-legacy/src/auth/provider.ts:11

resource?

optional resource?: URL

Defined in: packages/server-legacy/src/auth/provider.ts:12

scopes?

optional scopes?: string[]

Defined in: packages/server-legacy/src/auth/provider.ts:9

state?

optional state?: string

Defined in: packages/server-legacy/src/auth/provider.ts:8