Skip to main content
Full feature guide: MCP Auth Server

Overview

@grantex/mcp-auth registers OAuth 2.1-style metadata, PKCE authorization-code, client-registration, token, introspection, and revocation routes for MCP servers, plus JWT-verification middleware. Current published release: @grantex/mcp-auth@2.0.2.

Install

The exact versions above provide a reproducible install. The packages are versioned independently; check Release Status before upgrading.
Treat 2.0.2 as a single-process evaluation release. Authorization codes are always process-local, consentUi does not create a consent page, and the Grantex-backed token exchange does not persist the SDK’s returned authorization code. End-to-end issuance can therefore fail against the real backend. Middleware and introspection validate signatures/claims but do not perform live revocation checks. See the full feature guide before deployment.

Quick Start

createMcpAuthServer() is asynchronous and returns a Fastify instance with the OAuth metadata, registration, authorization, token, introspection, and revocation routes already registered. Start that returned server with listen(); it is not an Express router.

Endpoint surface in 2.0.2

  • OAuth 2.1 + PKCE — authorization code flow with S256 challenge
  • Client registration — dynamic or pre-registered MCP clients
  • Token introspection — validate JWT signatures and claims; no live revocation lookup
  • Revocation endpoint — submit a token jti to Grantex; local verifiers still need synchronized revocation state
  • Grantex calls — authorization, exchange, refresh, and revoke handlers call the supplied SDK client, subject to the limitations above
Last modified on July 12, 2026