mcpaccess-auth0-express

Secure your Model Context Protocol (MCP) server in minutes — Auth0-powered Express middleware with JWT validation and role-based access control for tools, resources, and prompts.

Overview

mcpaccess-auth0-express provides a straightforward way to integrate Auth0 authentication into an Express-based MCP server. It is designed for developers who need to protect MCP endpoints (tools, resources, and prompts) without adding unnecessary complexity.

This package handles:

• JWT verification using Auth0’s public keys.

• Role-based access control (RBAC) for fine-grained permissions.

• Express middleware integration with minimal configuration.

• MCP-specific endpoint protection for tools, resources, and prompts.

When to Use

Use this package if:

You’re building an MCP server in Node.js with Express.

You want to authenticate and authorize users via Auth0.

You need to restrict access to specific MCP actions based on roles or claims.

You prefer a plug-and-play middleware over custom auth code.

Features

Plug-in Express middleware for MCP endpoint protection.

Supports Auth0 RS256 token validation.

Role and scope checks for different MCP actions.

Works alongside other Express middleware.

Minimal boilerplate — focus on your MCP server logic, not on token handling.

Install mcp-auth0-express

Install the MCP Access package for auth0 and express

npm i @hivetrail/mcpaccess-auth0-express

Configure mcp-auth0-express

mcp-auth0-express words as an express middleware that validates JWT tokens and applies access restrictions and filtering based on user permissions.

To create the middleware, we use the createMcpAccessMiddleware function, passing an object with the required configuration. The object includes the following properties:

• serverId: (Required) A string that defines the current server id. The server id is used to identify the correct permissions in a multi-MCP server environment (Read more in the Custom permission builder section)
• mcpPath: (Required) A string representing the root path for Model Context Protocol requests, which is often “/mcp”. The MCP path is used to distinguish between MCP requests and other network requests.
• jwtOptions: (Required) An object containing the JWT validation configuration. It supports all properties from the AuthOptions object type in express-oauth2-jwt-bearer, and requires at least two properties:
  • issuerBaseURL
  • audience
• useOutboundFilter: (Optional) A boolean value for activating and disabling the outbound filtering mechanism where tools,resources and prompts are filtered out of list requests if the user does not have the appropriate permissions. The default is True.
• loggerOptions: (Optional) An object containing optional logging calls. See the Logger object for logging section for more information.
• auth0ManagementOptions: (Optional) An object containing optional Auth0 client configuration that will be used to validate the user, client, and permissions in real-time directly with the Auth0 API instead of relying on the JWT token for the user information. See the Auth0 management object for client, user and permission verification section for more information.
• permissionSeparator: (Optional) A custom separator string used to create the permission name string, the default is a colon “:”. See the Custom permission builder section for more information.
• permissionBuilderFn: (Optional) A custom function for creating permission names. The default function will use the following permission syntax: serverId:item1:item2… (for example: myMcpServer:tools:list or myMcpServer:resources:read:schemaType://res1). See the Custom permission builder section for more information.

An example of

... View full README on GitHub