MCP Client Auth

A TypeScript library providing OAuth2 authentication utilities for Model Context Protocol (MCP) clients. This library simplifies the process of adding OAuth authentication to MCP client implementations.

MCP OAuth is extra tricky because the dynamic client registration and metadata discovery steps are not supported by typical oauth implementations. This library simplifies everything to 2 function calls.

If you like this project, please consider starring it and giving me a follow on X/Twitter. This project is sponsored by Aomni.

Features

Key capabilities:

• 🔐 Complete OAuth2 Flow: Implements the standard OAuth2 authorization code flow with PKCE
• 🚀 MCP Client Integration: Drop-in OAuth support for MCP clients
• 📦 Zero Configuration: Automatic server metadata discovery and dynamic client registration
• 🌐 Smart Transport Selection: Automatic fallback from StreamableHTTP to SSE transport for maximum compatibility
• 🔄 Token Management: Automatic token refresh and secure storage (via pluggable storage interface)
• 🎯 TypeScript First: Full type safety and IntelliSense support

Installation

npm install mcp-client-auth

Quick Start

Using the High-Level MCP Client

Init the client

import { McpClient } from 'mcp-client-auth';

const client = new McpClient({
  url: 'https://mcp.example.com',
  oauthRedirectUri: 'localhost:3000/mcp/oauth/callback',
  // store: -- add your own database store here --
});

There are only 2 methods that are needed to connect to a MCP server (and handle OAuth if needed).

Checking for auth status

The isAuthRequired() method returns an AuthStatus object that indicates the authentication state. This status can be one of three types:

1. { isRequired: true, isAuthenticated: false, authorizationRequest: AuthorizationRequest } - Authentication is required and not yet completed. The authorizationRequest contains the URL and state needed to start the OAuth flow.

2. { isRequired: false, isAuthenticated: true } - No authentication is needed for this server.

3. { isRequired: true, isAuthenticated: true } - Authentication is required and has already been completed successfully.

This status object helps you determine whether to redirect the user to the OAuth authorization page or proceed with using the client directly.

// Check if authentication is required
const authStatus = await client.isAuthRequired();

if (authStatus.isRequired && !authStatus.isAuthenticated) {
  console.log('Please visit:', authStatus.authorizationRequest.url);

  // ... REDIRECT USER ...
}

Note you should save the AuthorizationRequest object for the next step.

Handling the OAuth callback

The handleAuthByCode method is used to complete the OAuth flow by exchanging the authorization code for access tokens. It takes two parameters:

1. code: The authorization code received from the OAuth server after user authorization
2. authRequest: The original authorization request object containing the state and code verifier needed for PKCE

This method should be called in your server callback route, as defined by the oauthRedirectUri.

function callback() {
  // After user authorizes, exchange code for token
  // Realistically - this would be in a different callback route
  const token = await client.handleAuthByCode(
    code,
    authStatus.authorizationRequest,
  );
}

If a store is provided (ideally connected to a database), the token returned will be automatically saved via store, which means next time isAuthRequired is called it will automatically return isAuthenticated of true, and no redirect will be needed.

Using MCP tools

// Use the client - auth is handled automatically
const tools = await client.listTools();
const result = await client.callTool('search', { query: 'example' });

Using OAuth Directly

... View full README on GitHub