Skip to main content
requireBearerAuth locks your server behind sign-in. Unauthenticated requests are turned away before any tool runs, and your tools receive the signed-in user.

Example

Every tool requires a signed-in user with the shop.read scope: the middleware validates the token before any handler runs.
server.ts
import { McpServer, requireBearerAuth } from "skybridge/server";
import { verifyAccessToken } from "./verify-access-token.js"; // the verifier you implement

const server = new McpServer({ name: "shop", version: "1.0" }).use(
  "/mcp",
  requireBearerAuth({
    verifier: { verifyAccessToken },
    requiredScopes: ["shop.read"],
  }),
);

Signature

requireBearerAuth(options: BearerAuthMiddlewareOptions): RequestHandler;

Parameters

options

type BearerAuthMiddlewareOptions = {
  verifier: OAuthTokenVerifier;
  requiredScopes?: string[];
  resourceMetadataUrl?: string;
};
FieldPurpose
verifierThe provider-specific token check you implement. See Verifier.
requiredScopesA server-wide scope floor every accepted token must carry, or the request gets a 403. Layers under per-tool securitySchemes.
resourceMetadataUrlAbsolute URL appended to the WWW-Authenticate header on a 401, pointing at your OAuth 2.0 Protected Resource Metadata so clients can discover the authorization server.

Returns

An Express RequestHandler to pass to server.use, typically on /mcp.
  • A valid token: the request proceeds, and handlers read it from extra.authInfo.
  • A missing, invalid, or expired token: a 401 with a WWW-Authenticate header. A token missing a required scope: a 403.
A valid token only proves who the caller is. Authorizing what they can do, and scoping data to them, stays the handler’s job: read extra.authInfo and never trust a client-supplied identifier.

optionalBearerAuth

Accept a token when present, allow anonymous otherwise

mcpAuthMetadataRouter

Advertise your authorization server for discovery

Authenticate Users

Add sign-in to your app end to end