MCP TypeScript SDK (V2)
    Preparing search index...

    Class PrivateKeyJwtProvider

    OAuth provider for client_credentials grant with private_key_jwt authentication.

    This provider is designed for machine-to-machine authentication where the client authenticates using a signed JWT assertion (RFC 7523 Section 2.2).

    const provider = new PrivateKeyJwtProvider({
        clientId: 'my-client',
        privateKey: pemEncodedPrivateKey,
        algorithm: 'RS256'
    });

    const transport = new StreamableHTTPClientTransport(serverUrl, {
        authProvider: provider
    });

    Implements

    Index

    Constructors

    constructor

    Properties

    addClientAuthentication

    Accessors

    clientMetadata redirectUrl

    Methods

    clientInformation codeVerifier prepareTokenRequest redirectToAuthorization saveClientInformation saveCodeVerifier saveTokens tokens

    Constructors

    Properties

    addClientAuthentication: AddClientAuthentication

    Adds custom client authentication to OAuth token requests.

    This optional method allows implementations to customize how client credentials are included in token exchange and refresh requests. When provided, this method is called instead of the default authentication logic, giving full control over the authentication mechanism.

    Common use cases include:

    • Supporting authentication methods beyond the standard OAuth 2.0 methods
    • Adding custom headers for proprietary authentication schemes
    • Implementing client assertion-based authentication (e.g., JWT bearer tokens)

    The request headers (can be modified to add authentication)

    The request body parameters (can be modified to add credentials)

    The token endpoint URL being called

    Optional OAuth metadata for the server, which may include supported authentication methods

    Accessors

    • get clientMetadata(): {
          client_name?: string;
          client_uri?: string;
          contacts?: string[];
          grant_types?: string[];
          jwks?: any;
          jwks_uri?: string;
          logo_uri?: string;
          policy_uri?: string;
          redirect_uris: string[];
          response_types?: string[];
          scope?: string;
          software_id?: string;
          software_statement?: string;
          software_version?: string;
          token_endpoint_auth_method?: string;
          tos_uri?: string;
      }

      Metadata about this OAuth client.

      Returns {
          client_name?: string;
          client_uri?: string;
          contacts?: string[];
          grant_types?: string[];
          jwks?: any;
          jwks_uri?: string;
          logo_uri?: string;
          policy_uri?: string;
          redirect_uris: string[];
          response_types?: string[];
          scope?: string;
          software_id?: string;
          software_statement?: string;
          software_version?: string;
          token_endpoint_auth_method?: string;
          tos_uri?: string;
      }

    • get redirectUrl(): undefined

      The URL to redirect the user agent to after authorization. Return undefined for non-interactive flows that don't require user interaction (e.g., client_credentials, jwt-bearer).

      Returns undefined

    Methods

    • Loads information about this OAuth client, as registered already with the server, or returns undefined if the client is not registered with the server.

      Returns {
          client_id: string;
          client_id_issued_at?: number;
          client_secret?: string;
          client_secret_expires_at?: number;
      }

    • Prepares grant-specific parameters for a token request.

      This optional method allows providers to customize the token request based on the grant type they support. When implemented, it returns the grant type and any grant-specific parameters needed for the token exchange.

      If not implemented, the default behavior depends on the flow:

      • For authorization code flow: uses code, code_verifier, and redirect_uri
      • For client_credentials: detected via grant_types in clientMetadata

      Parameters

      • Optionalscope: string

        Optional scope to request

      Returns URLSearchParams

      Grant type and parameters, or undefined to use default behavior

      // For client_credentials grant:
      prepareTokenRequest(scope) {
        return {
          grantType: 'client_credentials',
          params: scope ? { scope } : {}
        };
      }

      // For authorization_code grant (default behavior):
      async prepareTokenRequest() {
        return {
          grantType: 'authorization_code',
          params: {
            code: this.authorizationCode,
            code_verifier: await this.codeVerifier(),
            redirect_uri: String(this.redirectUrl)
          }
        };
      }

    • If implemented, this permits the OAuth client to dynamically register with the server. Client information saved this way should later be read via clientInformation().

      This method is not required to be implemented if client information is statically known (e.g., pre-registered).

      Parameters

      • info: {
            client_id: string;
            client_id_issued_at?: number;
            client_secret?: string;
            client_secret_expires_at?: number;
        }

      Returns void

    • Stores new OAuth tokens for the current session, after a successful authorization.

      Parameters

      • tokens: {
            access_token: string;
            expires_in?: number;
            id_token?: string;
            refresh_token?: string;
            scope?: string;
            token_type: string;
        }

      Returns void

    • Loads any existing OAuth tokens for the current session, or returns undefined if there are no saved tokens.

      Returns
          | {
              access_token: string;
              expires_in?: number;
              id_token?: string;
              refresh_token?: string;
              scope?: string;
              token_type: string;
          }
          | undefined

    Settings

    Member Visibility

    On This Page

    Constructors
    Properties
    Accessors
    Methods