These providers enforce sign-in on every request. To mix public and authenticated tools in one server, wire the middleware by hand instead.
Auth0
Auth0 issues opaque tokens by default, so you register an API to get verifiable JWTs.- In the Auth0 dashboard, create a Regular Web Application and note its Domain.
- Create an API (Applications → APIs) with an Identifier (e.g.
https://your-mcp-server.com); this identifier is your audience and need not be a real URL. - Under Settings → Tenant Settings → API Authorization Settings, set Default Audience to that identifier and enable Dynamic Client Registration.
- Enable Application Connections, promote your login connection to domain level, and set the API’s user access policy to Allow, so DCR-created clients can sign users in.
audience, and this server’s public URL as serverUrl to auth0Provider:
server.ts
auth-auth0 example.
Clerk
Clerk access tokens carry noaud claim, so there is no audience to configure.
- Sign up at clerk.com and create an application.
- Create an OAuth application with Dynamic client registration enabled and Generate access tokens as JWTs turned on.
- Copy your Frontend API URL (API keys), e.g.
acme.clerk.accounts.dev.
clerkProvider, no audience:
server.ts
auth-clerk example.
Descope
A Descope MCP Server binds the token’saud to the project, so the provider derives the audience from the Discovery URL you pass.
- Sign up at descope.com and create a project.
- In the console’s MCP Servers section, create an MCP Server and enable Dynamic Client Registration on it.
- Copy the MCP Server’s Discovery URL from its Connection Information.
descopeProvider; the audience defaults to the Project ID derived from it:
server.ts
auth-descope example.
Stytch
Stytch Connected Apps ships its consent screen only as a React component, so the login, consent, and callback pages are served as static HTML from your server, and the Connected App points at them.- Sign up at stytch.com and create a Consumer project.
- Under Connected Apps, create a Connected App with Dynamic Client Registration enabled.
- Note your Project ID, project domain (e.g.
acme.customers.stytch.dev), and Public Token. - Set the Connected App’s Authorization URL to your server’s consent page and add its callback to the Redirect URLs allowlist. The
auth-stytchexample ships those HTML pages.
stytchProvider:
server.ts
WorkOS
WorkOS AuthKit needs DCR enabled and your server registered as a Resource Indicator so issued tokens carry the rightaud.
- Sign up at workos.com and enable AuthKit.
- Enable Dynamic Client Registration under Connect → Configuration.
- Register your server URL as a Resource Indicator, so AuthKit sets each token’s
audto it. - Copy your AuthKit domain (e.g.
acme.authkit.app).
workosProvider:
server.ts
auth-workos example.
Any Other Provider
For an identity provider without a branded wrapper,customProvider wires any IdP that meets three requirements:
- Dynamic Client Registration (DCR) enabled, so hosts can register themselves without a hand-issued client ID.
- JWT access tokens (not opaque ones), so the server can verify a token by its signature.
- An audience the provider binds into the token’s
audclaim.
server.ts
audience for a provider that binds none, and set serverUrl when Skybridge must advertise itself as the authorization server, as Auth0 and the Alpic DCR proxy require.
Google and GitHub don’t support DCR, so customProvider can’t wire them directly. To offer Google or GitHub sign-in, configure a branded provider (Auth0, Clerk, Stytch, or WorkOS) with them as an upstream social connection.
After sign-in, reading the user and scoping data to them is the same across every provider: handlers read extra.authInfo, and a tool declaring securitySchemes with scopes gates access to them.
Authenticate Users
Publish metadata, verify tokens, read the user
Register Tools
Declare which tools require sign-in
Tunnel
Test the OAuth flow in a real host