This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/server-legacy / auth/router

auth/router

Type Aliases

AuthMetadataOptions

AuthMetadataOptions = object

Defined in: packages/server-legacy/src/auth/router.ts:185

Properties

oauthMetadata

oauthMetadata: OAuthMetadata

Defined in: packages/server-legacy/src/auth/router.ts:190

OAuth Metadata as would be returned from the authorization server this MCP server relies on

resourceName?

optional resourceName?: string

Defined in: packages/server-legacy/src/auth/router.ts:210

An optional resource name to display in resource metadata

resourceServerUrl

resourceServerUrl: URL

Defined in: packages/server-legacy/src/auth/router.ts:195

The url of the MCP server, for use in protected resource metadata

scopesSupported?

optional scopesSupported?: string[]

Defined in: packages/server-legacy/src/auth/router.ts:205

An optional list of scopes supported by this MCP server

serviceDocumentationUrl?

optional serviceDocumentationUrl?: URL

Defined in: packages/server-legacy/src/auth/router.ts:200

The url for documentation for the MCP server


AuthRouterOptions

AuthRouterOptions = object

Defined in: packages/server-legacy/src/auth/router.ts:24

Properties

authorizationOptions?

optional authorizationOptions?: Omit<AuthorizationHandlerOptions, "provider" | "issuerUrl">

Defined in: packages/server-legacy/src/auth/router.ts:64

baseUrl?

optional baseUrl?: URL

Defined in: packages/server-legacy/src/auth/router.ts:40

The base URL of the authorization server to use for the metadata endpoints.

If not provided, the issuer URL will be used as the base URL.

clientRegistrationOptions?

optional clientRegistrationOptions?: Omit<ClientRegistrationHandlerOptions, "clientsStore">

Defined in: packages/server-legacy/src/auth/router.ts:65

issuerUrl

issuerUrl: URL

Defined in: packages/server-legacy/src/auth/router.ts:33

The authorization server's issuer identifier, which is a URL that uses the "https" scheme and has no query or fragment components.

provider

provider: OAuthServerProvider

Defined in: packages/server-legacy/src/auth/router.ts:28

A provider implementing the actual authorization logic for this router.

resourceName?

optional resourceName?: string

Defined in: packages/server-legacy/src/auth/router.ts:55

The resource name to be displayed in protected resource metadata

resourceServerUrl?

optional resourceServerUrl?: URL

Defined in: packages/server-legacy/src/auth/router.ts:61

The URL of the protected resource (RS) whose metadata we advertise. If not provided, falls back to baseUrl and then to issuerUrl (AS=RS).

revocationOptions?

optional revocationOptions?: Omit<RevocationHandlerOptions, "provider">

Defined in: packages/server-legacy/src/auth/router.ts:66

scopesSupported?

optional scopesSupported?: string[]

Defined in: packages/server-legacy/src/auth/router.ts:50

An optional list of scopes supported by this authorization server

serviceDocumentationUrl?

optional serviceDocumentationUrl?: URL

Defined in: packages/server-legacy/src/auth/router.ts:45

An optional URL of a page containing human-readable information that developers might want or need to know when using the authorization server.

tokenOptions?

optional tokenOptions?: Omit<TokenHandlerOptions, "provider">

Defined in: packages/server-legacy/src/auth/router.ts:67

Functions

createOAuthMetadata()

createOAuthMetadata(options): object

Defined in: packages/server-legacy/src/auth/router.ts:83

Parameters

options
baseUrl?

URL

issuerUrl

URL

provider

OAuthServerProvider

scopesSupported?

string[]

serviceDocumentationUrl?

URL

Returns

object

authorization_endpoint

authorization_endpoint: string = SafeUrlSchema

authorization_response_iss_parameter_supported?

optional authorization_response_iss_parameter_supported?: boolean

client_id_metadata_document_supported?

optional client_id_metadata_document_supported?: boolean

code_challenge_methods_supported?

optional code_challenge_methods_supported?: string[]

grant_types_supported?

optional grant_types_supported?: string[]

introspection_endpoint?

optional introspection_endpoint?: string

introspection_endpoint_auth_methods_supported?

optional introspection_endpoint_auth_methods_supported?: string[]

introspection_endpoint_auth_signing_alg_values_supported?

optional introspection_endpoint_auth_signing_alg_values_supported?: string[]

issuer

issuer: string

registration_endpoint?

optional registration_endpoint?: string

response_modes_supported?

optional response_modes_supported?: string[]

response_types_supported

response_types_supported: string[]

revocation_endpoint?

optional revocation_endpoint?: string

revocation_endpoint_auth_methods_supported?

optional revocation_endpoint_auth_methods_supported?: string[]

revocation_endpoint_auth_signing_alg_values_supported?

optional revocation_endpoint_auth_signing_alg_values_supported?: string[]

scopes_supported?

optional scopes_supported?: string[]

service_documentation?

optional service_documentation?: string

token_endpoint

token_endpoint: string = SafeUrlSchema

token_endpoint_auth_methods_supported?

optional token_endpoint_auth_methods_supported?: string[]

token_endpoint_auth_signing_alg_values_supported?

optional token_endpoint_auth_signing_alg_values_supported?: string[]


getOAuthProtectedResourceMetadataUrl()

getOAuthProtectedResourceMetadataUrl(serverUrl): string

Defined in: packages/server-legacy/src/auth/router.ts:249

Helper function to construct the OAuth 2.0 Protected Resource Metadata URL from a given server URL. This replaces the path with the standard metadata endpoint.

Parameters

serverUrl

URL

The base URL of the protected resource server

Returns

string

The URL for the OAuth protected resource metadata endpoint

Example

ts
getOAuthProtectedResourceMetadataUrl(new URL('https://api.example.com/mcp'))
// Returns: 'https://api.example.com/.well-known/oauth-protected-resource/mcp'

mcpAuthMetadataRouter()

mcpAuthMetadataRouter(options): Router

Defined in: packages/server-legacy/src/auth/router.ts:213

Parameters

options

AuthMetadataOptions

Returns

Router


mcpAuthRouter()

mcpAuthRouter(options): RequestHandler

Defined in: packages/server-legacy/src/auth/router.ts:142

Installs standard MCP authorization server endpoints, including dynamic client registration and token revocation (if supported). Also advertises standard authorization server metadata, for easier discovery of supported configurations by clients. Note: if your MCP server is only a resource server and not an authorization server, use mcpAuthMetadataRouter instead.

By default, rate limiting is applied to all endpoints to prevent abuse.

This router MUST be installed at the application root, like so:

const app = express(); app.use(mcpAuthRouter(...));

Parameters

options

AuthRouterOptions

Returns

RequestHandler