Skip to main content

Server Authentication

Add enterprise-grade OAuth 2.0/2.1 authentication to your MCP server with built-in support for popular identity providers. Secure your tools with bearer token authentication, implement role-based access control (RBAC), and access authenticated user information in your tool callbacks.

Quick Start

Basic OAuth Server

import { MCPServer, oauthAuth0Provider } from 'mcp-use/server'

const server = new MCPServer({
  name: 'my-secure-server',
  version: '1.0.0',
  oauth: oauthAuth0Provider({
    domain: 'your-tenant.auth0.com',
    audience: 'https://your-api.example.com',
  })
})

// Tools now have access to authenticated user context
server.tool({
  name: 'get-user-profile',
  description: 'Get the authenticated user profile',
  cb: async (params, context) => {
    // Access authenticated user info
    const user = context.auth
    return {
      userId: user.userId,
      email: user.email,
      name: user.name,
      roles: user.roles
    }
  }
})

await server.listen(3000)

OAuth Providers

mcp-use includes built-in support for major identity providers. Each provider is documented in detail:
  • Auth0 - Full OAuth 2.1 with PKCE and JWKS verification
  • WorkOS - Enterprise SSO with direct mode OAuth
  • Supabase - Authentication for Supabase projects
  • Keycloak - Enterprise SSO with realm roles
  • Custom Provider - Use any OAuth provider

OAuth Modes

Choose between proxy mode and direct mode based on your requirements:
  • Proxy Mode (Default) - Server proxies OAuth requests
  • Direct Mode - Clients authenticate directly with provider

OAuth Endpoints

When OAuth is configured, your server automatically exposes these endpoints:

Authorization Endpoint

GET /authorize
Initiates the OAuth authorization flow. Query Parameters:
  • response_type=code - Response type
  • client_id - OAuth client ID
  • redirect_uri - Callback URL
  • scope - Requested scopes
  • state - CSRF protection token
  • code_challenge - PKCE challenge
  • code_challenge_method=S256 - PKCE method

Token Endpoint

POST /token
Exchanges authorization code for access token. Body Parameters:
  • grant_type=authorization_code - Grant type
  • code - Authorization code
  • redirect_uri - Callback URL
  • client_id - OAuth client ID
  • code_verifier - PKCE verifier
Response: 
{
  "access_token": "eyJhbGci...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "openid profile email"
}

Discovery Endpoints

GET /.well-known/oauth-authorization-server
GET /.well-known/openid-configuration
Returns OAuth/OIDC discovery metadata for automatic client configuration.

Bearer Token Authentication

All /mcp/* endpoints require a valid bearer token when OAuth is configured: 
Authorization: Bearer eyJhbGci...

Next Steps