customProvider builds a complete OAuthConfig from an identity provider’s OAuth discovery document: it reads the provider’s metadata at boot and verifies access tokens against its JWKS. Reach for it when no branded provider fits, for any IdP that publishes discovery metadata and signs JWT access tokens.
Example
server.ts
customProvider fetches https://auth.myshop.com’s discovery document at boot, then the oauth option mounts the well-known metadata and JWKS bearer verification on /mcp. audience is the value the IdP binds into the token’s aud claim, here this server’s public URL.
Signature
Parameters
opts
| Field | Description |
|---|---|
issuer | The only required option: the IdP base URL whose discovery document is fetched at boot. It must serve a jwks_uri, or the call throws. |
audience | Checked against each token’s aud claim. Omit it only for an IdP that binds no audience (Clerk): the aud check is then skipped. |
baseUrl | This server’s public URL. Set it and the resource URLs are baked once at boot; omit it and they resolve per request from the x-forwarded-host / x-forwarded-proto / host headers. |
serverUrl | Advertises this server as the authorization server: the served AS metadata issuer and the PRM authorization_servers use this URL instead of the IdP’s, while verification still trusts the IdP’s real iss. Needed when this server must sit in the auth path, as auth0Provider does, or behind the Alpic DCR proxy. |
scopes | Scopes advertised in the served metadata; defaults to the IdP’s. |
requiredScopes | Server-wide scope floor enforced before any handler, layered under each tool’s securitySchemes; a token missing one gets a 403. |
metadataOverrides | Adjusts advertised metadata only. |
Returns
APromise (discovery is a boot-time network call) for the OAuthConfig you pass to the oauth constructor option.
| Field | Description |
|---|---|
baseUrl | Echoes the baseUrl option. |
oauthMetadata | AS metadata served at /.well-known/oauth-authorization-server. |
verify | JWKS token-verification config. |
scopesSupported | Scopes advertised in protected-resource metadata. |
requiredScopes | Server-wide required-scope floor. |
customProvider can’t discover: supply verify.issuer and verify.jwksUri yourself and the oauth option mounts the same endpoints.
Connect an Identity Provider
Set up sign-in with a hosted provider
Authenticate Users
Add sign-in to your app end to end
McpServer
Pass the config to the oauth option