Mcpauth
FreeNot checkedDrop-in OAuth 2.1 + Dynamic Client Registration for MCP servers, providing authentication middleware and token verification.
About
Drop-in OAuth 2.1 + Dynamic Client Registration for MCP servers, providing authentication middleware and token verification.
README
npm version npm downloads license
Drop-in OAuth 2.1 + Dynamic Client Registration (RFC 7591) for MCP servers, backed by mcpauth.
Wraps the official @modelcontextprotocol/sdk's requireBearerAuth middleware so unauthenticated or invalid requests get rejected with a spec-correct 401 before they ever reach your MCP server's handlers.
Install
npm install getmcpauth
Usage
import express from "express";
import { mcpAuth } from "getmcpauth";
const app = express();
app.use(
"/mcp",
mcpAuth({ registrationSecret: process.env.MCPAUTH_SECRET })
);
// Unauthenticated or invalid requests never reach this handler.
app.post("/mcp", handleMcpRequest);
Get a registrationSecret by creating a project at getmcpauth.dev/dashboard — it's your MCP server's credential for both Dynamic Client Registration and token verification.
MCP clients (Claude, ChatGPT, custom agent frameworks) then discover your auth setup automatically via /.well-known/oauth-authorization-server — no manual client configuration needed.
Next.js (or any Fetch-API framework)
// app/api/mcp/route.ts
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { createMcpAuthHandler } from "getmcpauth";
const handler = createMcpAuthHandler({
registrationSecret: process.env.MCPAUTH_SECRET!,
buildServer: () => {
const server = new McpServer({ name: "my-server", version: "1.0.0" });
server.registerTool(/* ... */);
return server;
},
});
export { handler as GET, handler as POST, handler as DELETE };
API
mcpAuth(options)— Express middleware. Successful token verifications are cached in-process (default 30s) so a chatty agent conversation doesn't trigger a network round trip on every tool call.createMcpAuthHandler(options)— the Next.js/Fetch-API equivalent above, returning a(request: Request) => Promise<Response>handler. Same caching behavior asmcpAuth().McpAuthTokenVerifier— implements the official SDK'sOAuthTokenVerifierinterface directly, for lower-level use.mintToken(options)— for MCP servers embedded in a product that already has its own users: your backend, which already knows who its logged-in user is, mints a token server-to-server without routing that user through mcpauth's own login.protectedResourceMetadata(options)/mcpAuthResourceMetadataHandler(options)— RFC 9728 resource-metadata helpers.
Full docs: getmcpauth.dev/docs
License
MIT
Installing Mcpauth
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/yilmazali325/getmcpauthFAQ
Is Mcpauth MCP free?
Yes, Mcpauth MCP is free — one-click install via Unyly at no cost.
Does Mcpauth need an API key?
No, Mcpauth runs without API keys or environment variables.
Is Mcpauth hosted or self-hosted?
A hosted option is available: Unyly runs the server in the cloud, no local setup required.
How do I install Mcpauth in Claude Desktop, Claude Code or Cursor?
Open Mcpauth on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Mcpauth with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
