optionalBearerAuth validates a token if one is sent but lets anonymous requests through. Each tool then enforces its own securitySchemes against extra.authInfo.
Example
The server accepts a token when one is sent, so public tools run for anyone while gated tools checkextra.authInfo themselves.
server.ts
Signature
Parameters
options
| Field | Purpose |
|---|---|
verifier | The provider-specific token check you write. See Verifier. |
requiredScopes | A scope floor, enforced only when a token is sent: the token must carry all of these, or the request gets a 403. |
resourceMetadataUrl | Absolute URL appended to the WWW-Authenticate header on a 401, pointing at your OAuth 2.0 Protected Resource Metadata so clients can discover the authorization server. |
Returns
An ExpressRequestHandler to pass to server.use, typically on /mcp.
- No
Authorizationheader: the request proceeds with noauthInfo. - A valid token: the request proceeds, and handlers read it from
extra.authInfo. - A token that is present but invalid or expired: the same 401 / 403 as
requireBearerAuth. Sending a bad token is still a client error.
requireBearerAuth
Require a token on every request, with the verifier contract
registerTool
Gate individual tools with
securitySchemesAuthenticate Users
Add sign-in to your app end to end