Command Palette

Search for a command to run...

UnylyUnyly
Browse all

Mcpauth

FreeNot checked

Drop-in OAuth 2.1 + Dynamic Client Registration for MCP servers, providing authentication middleware and token verification.

GitHubEmbed

About

Drop-in OAuth 2.1 + Dynamic Client Registration for MCP servers, providing authentication middleware and token verification.

README

npm version npm downloads license

Drop-in OAuth 2.1 + Dynamic Client Registration (RFC 7591) for MCP servers, backed by mcpauth.

Wraps the official @modelcontextprotocol/sdk's requireBearerAuth middleware so unauthenticated or invalid requests get rejected with a spec-correct 401 before they ever reach your MCP server's handlers.

Install

npm install getmcpauth

Usage

import express from "express";
import { mcpAuth } from "getmcpauth";

const app = express();

app.use(
  "/mcp",
  mcpAuth({ registrationSecret: process.env.MCPAUTH_SECRET })
);

// Unauthenticated or invalid requests never reach this handler.
app.post("/mcp", handleMcpRequest);

Get a registrationSecret by creating a project at getmcpauth.dev/dashboard — it's your MCP server's credential for both Dynamic Client Registration and token verification.

MCP clients (Claude, ChatGPT, custom agent frameworks) then discover your auth setup automatically via /.well-known/oauth-authorization-server — no manual client configuration needed.

Next.js (or any Fetch-API framework)

// app/api/mcp/route.ts
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { createMcpAuthHandler } from "getmcpauth";

const handler = createMcpAuthHandler({
  registrationSecret: process.env.MCPAUTH_SECRET!,
  buildServer: () => {
    const server = new McpServer({ name: "my-server", version: "1.0.0" });
    server.registerTool(/* ... */);
    return server;
  },
});

export { handler as GET, handler as POST, handler as DELETE };

API

  • mcpAuth(options) — Express middleware. Successful token verifications are cached in-process (default 30s) so a chatty agent conversation doesn't trigger a network round trip on every tool call.
  • createMcpAuthHandler(options) — the Next.js/Fetch-API equivalent above, returning a (request: Request) => Promise<Response> handler. Same caching behavior as mcpAuth().
  • McpAuthTokenVerifier — implements the official SDK's OAuthTokenVerifier interface directly, for lower-level use.
  • mintToken(options) — for MCP servers embedded in a product that already has its own users: your backend, which already knows who its logged-in user is, mints a token server-to-server without routing that user through mcpauth's own login.
  • protectedResourceMetadata(options) / mcpAuthResourceMetadataHandler(options) — RFC 9728 resource-metadata helpers.

Full docs: getmcpauth.dev/docs

License

MIT

from github.com/yilmazali325/getmcpauth

Installing Mcpauth

This server has no published package — it is built from source. Open the repository and follow its README.

▸ github.com/yilmazali325/getmcpauth

FAQ

Is Mcpauth MCP free?

Yes, Mcpauth MCP is free — one-click install via Unyly at no cost.

Does Mcpauth need an API key?

No, Mcpauth runs without API keys or environment variables.

Is Mcpauth hosted or self-hosted?

A hosted option is available: Unyly runs the server in the cloud, no local setup required.

How do I install Mcpauth in Claude Desktop, Claude Code or Cursor?

Open Mcpauth on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare Mcpauth with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All development MCPs