MCP TypeScript SDK (V2) / @modelcontextprotocol/server-legacy / auth/router
auth/router
Type Aliases
AuthMetadataOptions
AuthMetadataOptions =
object
Defined in: packages/server-legacy/src/auth/router.ts:185
Properties
oauthMetadata
oauthMetadata:
OAuthMetadata
Defined in: packages/server-legacy/src/auth/router.ts:190
OAuth Metadata as would be returned from the authorization server this MCP server relies on
resourceName?
optionalresourceName?:string
Defined in: packages/server-legacy/src/auth/router.ts:210
An optional resource name to display in resource metadata
resourceServerUrl
resourceServerUrl:
URL
Defined in: packages/server-legacy/src/auth/router.ts:195
The url of the MCP server, for use in protected resource metadata
scopesSupported?
optionalscopesSupported?:string[]
Defined in: packages/server-legacy/src/auth/router.ts:205
An optional list of scopes supported by this MCP server
serviceDocumentationUrl?
optionalserviceDocumentationUrl?:URL
Defined in: packages/server-legacy/src/auth/router.ts:200
The url for documentation for the MCP server
AuthRouterOptions
AuthRouterOptions =
object
Defined in: packages/server-legacy/src/auth/router.ts:24
Properties
authorizationOptions?
optionalauthorizationOptions?:Omit<AuthorizationHandlerOptions,"provider"|"issuerUrl">
Defined in: packages/server-legacy/src/auth/router.ts:64
baseUrl?
optionalbaseUrl?:URL
Defined in: packages/server-legacy/src/auth/router.ts:40
The base URL of the authorization server to use for the metadata endpoints.
If not provided, the issuer URL will be used as the base URL.
clientRegistrationOptions?
optionalclientRegistrationOptions?:Omit<ClientRegistrationHandlerOptions,"clientsStore">
Defined in: packages/server-legacy/src/auth/router.ts:65
issuerUrl
issuerUrl:
URL
Defined in: packages/server-legacy/src/auth/router.ts:33
The authorization server's issuer identifier, which is a URL that uses the "https" scheme and has no query or fragment components.
provider
provider:
OAuthServerProvider
Defined in: packages/server-legacy/src/auth/router.ts:28
A provider implementing the actual authorization logic for this router.
resourceName?
optionalresourceName?:string
Defined in: packages/server-legacy/src/auth/router.ts:55
The resource name to be displayed in protected resource metadata
resourceServerUrl?
optionalresourceServerUrl?:URL
Defined in: packages/server-legacy/src/auth/router.ts:61
The URL of the protected resource (RS) whose metadata we advertise. If not provided, falls back to baseUrl and then to issuerUrl (AS=RS).
revocationOptions?
optionalrevocationOptions?:Omit<RevocationHandlerOptions,"provider">
Defined in: packages/server-legacy/src/auth/router.ts:66
scopesSupported?
optionalscopesSupported?:string[]
Defined in: packages/server-legacy/src/auth/router.ts:50
An optional list of scopes supported by this authorization server
serviceDocumentationUrl?
optionalserviceDocumentationUrl?:URL
Defined in: packages/server-legacy/src/auth/router.ts:45
An optional URL of a page containing human-readable information that developers might want or need to know when using the authorization server.
tokenOptions?
optionaltokenOptions?:Omit<TokenHandlerOptions,"provider">
Defined in: packages/server-legacy/src/auth/router.ts:67
Functions
createOAuthMetadata()
createOAuthMetadata(
options):object
Defined in: packages/server-legacy/src/auth/router.ts:83
Parameters
options
baseUrl?
URL
issuerUrl
URL
provider
scopesSupported?
string[]
serviceDocumentationUrl?
URL
Returns
object
authorization_endpoint
authorization_endpoint:
string=SafeUrlSchema
authorization_response_iss_parameter_supported?
optionalauthorization_response_iss_parameter_supported?:boolean
client_id_metadata_document_supported?
optionalclient_id_metadata_document_supported?:boolean
code_challenge_methods_supported?
optionalcode_challenge_methods_supported?:string[]
grant_types_supported?
optionalgrant_types_supported?:string[]
introspection_endpoint?
optionalintrospection_endpoint?:string
introspection_endpoint_auth_methods_supported?
optionalintrospection_endpoint_auth_methods_supported?:string[]
introspection_endpoint_auth_signing_alg_values_supported?
optionalintrospection_endpoint_auth_signing_alg_values_supported?:string[]
issuer
issuer:
string
registration_endpoint?
optionalregistration_endpoint?:string
response_modes_supported?
optionalresponse_modes_supported?:string[]
response_types_supported
response_types_supported:
string[]
revocation_endpoint?
optionalrevocation_endpoint?:string
revocation_endpoint_auth_methods_supported?
optionalrevocation_endpoint_auth_methods_supported?:string[]
revocation_endpoint_auth_signing_alg_values_supported?
optionalrevocation_endpoint_auth_signing_alg_values_supported?:string[]
scopes_supported?
optionalscopes_supported?:string[]
service_documentation?
optionalservice_documentation?:string
token_endpoint
token_endpoint:
string=SafeUrlSchema
token_endpoint_auth_methods_supported?
optionaltoken_endpoint_auth_methods_supported?:string[]
token_endpoint_auth_signing_alg_values_supported?
optionaltoken_endpoint_auth_signing_alg_values_supported?:string[]
getOAuthProtectedResourceMetadataUrl()
getOAuthProtectedResourceMetadataUrl(
serverUrl):string
Defined in: packages/server-legacy/src/auth/router.ts:249
Helper function to construct the OAuth 2.0 Protected Resource Metadata URL from a given server URL. This replaces the path with the standard metadata endpoint.
Parameters
serverUrl
URL
The base URL of the protected resource server
Returns
string
The URL for the OAuth protected resource metadata endpoint
Example
getOAuthProtectedResourceMetadataUrl(new URL('https://api.example.com/mcp'))
// Returns: 'https://api.example.com/.well-known/oauth-protected-resource/mcp'mcpAuthMetadataRouter()
mcpAuthMetadataRouter(
options):Router
Defined in: packages/server-legacy/src/auth/router.ts:213
Parameters
options
Returns
Router
mcpAuthRouter()
mcpAuthRouter(
options):RequestHandler
Defined in: packages/server-legacy/src/auth/router.ts:142
Installs standard MCP authorization server endpoints, including dynamic client registration and token revocation (if supported). Also advertises standard authorization server metadata, for easier discovery of supported configurations by clients. Note: if your MCP server is only a resource server and not an authorization server, use mcpAuthMetadataRouter instead.
By default, rate limiting is applied to all endpoints to prevent abuse.
This router MUST be installed at the application root, like so:
const app = express(); app.use(mcpAuthRouter(...));
Parameters
options
Returns
RequestHandler