Short answer: for production, use an established, MCP-compatible authorization server for the HTTP OAuth flow. Then enforce agent-specific Grantex grants again at each sensitive tool or service boundary.
MCP authorization and Grantex solve different layers
MCP HTTP authorization establishes whether an MCP client may access a protected MCP resource on behalf of a resource owner. Grantex can add a narrower decision at tool execution time: which agent may perform which action, for which principal and resource, under which constraints. A production architecture should keep those responsibilities explicit:- Established authorization server: use a maintained authorization server that supports the current MCP profile, user authentication and consent, durable authorization-code state, secure client onboarding, token issuance, and revocation.
- MCP protected resource: expose RFC 9728 protected-resource metadata, advertise the permitted authorization server, and validate every access token’s issuer, audience, expiry, and required MCP scopes.
- Grantex tool enforcement: after transport authorization succeeds, use a primary Grantex SDK or direct, validated grant verification at each sensitive tool boundary. Bind the decision to the agent, principal, action, resource, constraints, and current revocation state.
- Audit and deny safely: record both the transport authorization context and the tool-level Grantex decision. Deny the call if either layer fails.
@grantex/mcp-auth@2.0.2 to serve as the production OAuth control plane.
What @grantex/mcp-auth 2.0.2 implements
For local inspection,createMcpAuthServer() returns a Fastify instance with
these six routes:
| Endpoint | Implemented behavior |
|---|---|
/.well-known/oauth-authorization-server | Authorization-server metadata discovery |
/register | Dynamic client registration backed by ClientStore |
/authorize | PKCE S256 plus client and redirect-URI validation, followed by a Grantex authorization request |
/token | PKCE validation plus Grantex exchange and refresh calls |
/introspect | JWT signature and claim validation against JWKS |
/revoke | Decode the JWT jti and request Grantex revocation |
Reproducible evaluation install
Use exact package versions and commit bothpackage.json and the generated
lockfile:
latest in an evaluation record.
Start the evaluation endpoint surface
Six material limits in 2.0.2
- Process-local state: client registrations use process memory unless you
provide a
ClientStore, and authorization codes always use the non-configurableInMemoryCodeStore. Restarts and multi-replica authorize/token flows are unsafe. - No consent page:
consentUiadds discovery metadata only. The package does not register/consentor render a user-approval interface. - Incomplete code handoff: the package does not persist the authorization code returned by the Grantex SDK for the token handler. A real backend exchange can therefore fail.
- Inactive issuance hook: the
onTokenIssuedtype is declared but the hook is not invoked in2.0.2. - No current revocation lookup: introspection and middleware perform local JWT validation but do not query current revocation state. Use an online state check or synchronized revocation data when immediate revocation matters.
- No server-wide redirect allowlist:
allowedRedirectUrisis declared but is not enforced as a server-wide allowlist in this release. Authorization checks the redirect URI registered for the individual client instead.
Evaluation-only middleware boundary
Production checklist
- Follow the current MCP HTTP authorization specification rather than treating an older endpoint list as the protocol.
- Use an established authorization server and maintained MCP SDK, with exact versions pinned in your own lockfile.
- Publish and validate RFC 9728 protected-resource metadata for the actual MCP resource identifier.
- Validate issuer, audience, expiry, scopes, and revocation before accepting the transport token.
- Enforce the narrower Grantex grant at every sensitive tool or downstream service boundary.
- Test denial paths, consent, authorization-code replay, redirect URIs, multi-replica state, token expiry, and revocation end to end.