Skip to main content

Overview

MCP servers can require authentication to protect resources and control access. mcp-use handles authentication automatically based on your configuration.

Choose Your Method

Bearer Token

Simplest optionUse a static API key or token. Best for services that issue long-lived credentials.
"auth": "sk-your-api-key"

OAuth 2.1

MCP standardFull OAuth flow with automatic discovery, PKCE, and token refresh. Required by many MCP servers.
"auth": { "scope": "read write" }

Custom Auth

Full controlUse any httpx.Auth object for Basic, Digest, or custom authentication schemes.
"auth": BasicAuth("user", "pass")

Quick Start Examples

For servers with OAuth support, just provide the URL:
from mcp_use import MCPClient

config = {
    "mcpServers": {
        "linear": {
            "url": "https://mcp.linear.app/sse"
            # OAuth discovery + DCR happens automatically
        }
    }
}

client = MCPClient(config=config)
mcp-use will:
  1. Discover the authorization server
  2. Register a client (or use CIMD/pre-registered credentials)
  3. Open your browser for authorization
  4. Store and refresh tokens automatically

Token Storage

Authentication tokens are stored securely on disk: 
~/.mcp_use/tokens/
├── {server}.json                    # Access tokens
└── registrations/
    └── {server}_registration.json   # OAuth client credentials
Add ~/.mcp_use/ to your .gitignore to avoid committing credentials.

Debugging

Enable verbose logging to troubleshoot authentication: 
from mcp_use import set_debug

set_debug(2)  # Shows full OAuth flow, discovery, and token exchange

Security Best Practices

  • Environment variables - Never hardcode credentials in source code
  • Token rotation - Rotate long-lived tokens regularly
  • Minimal scopes - Request only the permissions you need
  • HTTPS only - All OAuth endpoints use HTTPS (except localhost callbacks)