MCP TypeScript SDK (V2)
    Preparing search index...

    Class CrossAppAccessProvider

    OAuth provider for Cross-App Access (Enterprise Managed Authorization) using JWT Authorization Grant.

    This provider implements the Enterprise Managed Authorization flow (SEP-990) where:

    1. User authenticates with an enterprise IdP and the client obtains an ID Token
    2. Client exchanges the ID Token for a JWT Authorization Grant (ID-JAG) via RFC 8693 token exchange
    3. Client uses the JAG to obtain an access token from the MCP server via RFC 7523 JWT bearer grant

    The provider handles steps 2-3 automatically, with the JAG acquisition delegated to a callback function that you provide. This allows flexibility in how you obtain and cache ID Tokens from the IdP.

    https://github.com/modelcontextprotocol/ext-auth/blob/main/specification/draft/enterprise-managed-authorization.mdx

    const provider = new CrossAppAccessProvider({
        assertion: async (ctx) => {
            const result = await discoverAndRequestJwtAuthGrant({
                idpUrl: 'https://idp.example.com',
                audience: ctx.authorizationServerUrl,
                resource: ctx.resourceUrl,
                idToken: await getIdToken(), // Your function to get ID token
                clientId: 'my-idp-client',
                clientSecret: 'my-idp-secret',
                scope: ctx.scope,
                fetchFn: ctx.fetchFn
            });
            return result.jwtAuthGrant;
        },
        clientId: 'my-mcp-client',
        clientSecret: 'my-mcp-secret'
    });

    const transport = new StreamableHTTPClientTransport(serverUrl, {
        authProvider: provider
    });

    Implements

    Index

    Constructors

    constructor

    Accessors

    clientMetadata redirectUrl

    Methods

    authorizationServerUrl? clientInformation codeVerifier prepareTokenRequest redirectToAuthorization resourceUrl? saveAuthorizationServerUrl? saveClientInformation saveCodeVerifier saveResourceUrl? saveTokens tokens

    Constructors

    Accessors

    • get clientMetadata(): {
          client_name?: string;
          client_uri?: string;
          contacts?: string[];
          grant_types?: string[];
          jwks?: any;
          jwks_uri?: string;
          logo_uri?: string;
          policy_uri?: string;
          redirect_uris: string[];
          response_types?: string[];
          scope?: string;
          software_id?: string;
          software_statement?: string;
          software_version?: string;
          token_endpoint_auth_method?: string;
          tos_uri?: string;
      }

      Metadata about this OAuth client.

      Returns {
          client_name?: string;
          client_uri?: string;
          contacts?: string[];
          grant_types?: string[];
          jwks?: any;
          jwks_uri?: string;
          logo_uri?: string;
          policy_uri?: string;
          redirect_uris: string[];
          response_types?: string[];
          scope?: string;
          software_id?: string;
          software_statement?: string;
          software_version?: string;
          token_endpoint_auth_method?: string;
          tos_uri?: string;
      }

    • get redirectUrl(): undefined

      The URL to redirect the user agent to after authorization. Return undefined for non-interactive flows that don't require user interaction (e.g., client_credentials, jwt-bearer).

      Returns undefined

    Methods

    • Loads information about this OAuth client, as registered already with the server, or returns undefined if the client is not registered with the server.

      Returns {
          client_id: string;
          client_id_issued_at?: number;
          client_secret?: string;
          client_secret_expires_at?: number;
      }

    • Prepares grant-specific parameters for a token request.

      This optional method allows providers to customize the token request based on the grant type they support. When implemented, it returns the grant type and any grant-specific parameters needed for the token exchange.

      If not implemented, the default behavior depends on the flow:

      • For authorization code flow: uses code, code_verifier, and redirect_uri
      • For client_credentials: detected via grant_types in clientMetadata

      Parameters

      • Optionalscope: string

        Optional scope to request

      Returns Promise<URLSearchParams>

      Grant type and parameters, or undefined to use default behavior

      // For client_credentials grant:
      prepareTokenRequest(scope) {
        return {
          grantType: 'client_credentials',
          params: scope ? { scope } : {}
        };
      }

      // For authorization_code grant (default behavior):
      async prepareTokenRequest() {
        return {
          grantType: 'authorization_code',
          params: {
            code: this.authorizationCode,
            code_verifier: await this.codeVerifier(),
            redirect_uri: String(this.redirectUrl)
          }
        };
      }

    • If implemented, this permits the OAuth client to dynamically register with the server. Client information saved this way should later be read via clientInformation().

      This method is not required to be implemented if client information is statically known (e.g., pre-registered).

      Parameters

      • info: {
            client_id: string;
            client_id_issued_at?: number;
            client_secret?: string;
            client_secret_expires_at?: number;
        }

      Returns void

    • Stores new OAuth tokens for the current session, after a successful authorization.

      Parameters

      • tokens: {
            access_token: string;
            expires_in?: number;
            id_token?: string;
            refresh_token?: string;
            scope?: string;
            token_type: string;
        }

      Returns void

    • Loads any existing OAuth tokens for the current session, or returns undefined if there are no saved tokens.

      Returns
          | {
              access_token: string;
              expires_in?: number;
              id_token?: string;
              refresh_token?: string;
              scope?: string;
              token_type: string;
          }
          | undefined

    Settings

    Member Visibility

    On This Page

    Constructors
    Accessors
    Methods