requireBearerAuth locks your server behind sign-in. Unauthenticated requests are turned away before any tool runs, and your tools receive the signed-in user.
Example
Every tool requires a signed-in user with theshop.read scope: the middleware validates the token before any handler runs.
server.ts
Signature
Parameters
options
| Field | Purpose |
|---|---|
verifier | The provider-specific token check you implement. See Verifier. |
requiredScopes | A server-wide scope floor every accepted token must carry, or the request gets a 403. Layers under per-tool securitySchemes. |
resourceMetadataUrl | Absolute URL appended to the WWW-Authenticate header on a 401, pointing at your OAuth 2.0 Protected Resource Metadata so clients can discover the authorization server. |
Returns
An ExpressRequestHandler to pass to server.use, typically on /mcp.
- A valid token: the request proceeds, and handlers read it from
extra.authInfo. - A missing, invalid, or expired token: a 401 with a
WWW-Authenticateheader. A token missing a required scope: a 403.
A valid token only proves who the caller is. Authorizing what they can do, and scoping data to them, stays the handler’s job: read
extra.authInfo and never trust a client-supplied identifier.optionalBearerAuth
Accept a token when present, allow anonymous otherwise
mcpAuthMetadataRouter
Advertise your authorization server for discovery
Authenticate Users
Add sign-in to your app end to end