Skip to main content
When a client reaches your server without a token, it needs to know where the user signs in. mcpAuthMetadataRouter advertises that, so clients can discover your authorization server on their own.

Example

The server publishes where to authorize, so a client hitting a 401 can find the authorization server on its own.
server.ts
import { McpServer, mcpAuthMetadataRouter } from "skybridge/server";

const server = new McpServer({ name: "shop", version: "1.0" }).use(
  mcpAuthMetadataRouter({
    oauthMetadata: {
      issuer: "https://auth.example.com",
      authorization_endpoint: "https://auth.example.com/authorize",
      token_endpoint: "https://auth.example.com/token",
      response_types_supported: ["code"],
    },
    resourceServerUrl: new URL("https://api.example.com/mcp"),
    scopesSupported: ["shop.read"],
  }),
);

Signature

mcpAuthMetadataRouter(options: AuthMetadataOptions): Router;

Parameters

options

type AuthMetadataOptions = {
  oauthMetadata: OAuthMetadata;
  resourceServerUrl: URL;
  scopesSupported?: string[];
  serviceDocumentationUrl?: URL;
  resourceName?: string;
};
FieldPurpose
oauthMetadataYour authorization server’s RFC 8414 metadata. At minimum the issuer, authorization_endpoint, token_endpoint, and response_types_supported.
resourceServerUrlThis MCP server’s URL. Published in the protected-resource metadata so clients map this server to its authorization server.
scopesSupportedThe scopes this server recognizes.
serviceDocumentationUrlLink to human-readable docs for this server.
resourceNameDisplay name for this resource in the metadata.
Check your OAuth provider’s docs for the metadata values it expects.

Returns

An Express Router to pass to server.use. It serves your OAuth 2.0 Protected Resource Metadata at /.well-known/oauth-protected-resource.

requireBearerAuth

Require a token on every request

optionalBearerAuth

Accept a token when present, allow anonymous otherwise

Authenticate Users

Add sign-in to your app end to end