Full feature guide: MCP Auth Server
Overview
@grantex/mcp-auth registers OAuth 2.1-style metadata, PKCE authorization-code, client-registration, token, introspection, and revocation routes for MCP servers, plus JWT-verification middleware.
Current published release: @grantex/mcp-auth@2.0.2.
Install
Quick Start
createMcpAuthServer() is asynchronous and returns a Fastify instance with the
OAuth metadata, registration, authorization, token, introspection, and revocation
routes already registered. Start that returned server with listen(); it is not
an Express router.
Endpoint surface in 2.0.2
- OAuth 2.1 + PKCE — authorization code flow with S256 challenge
- Client registration — dynamic or pre-registered MCP clients
- Token introspection — validate JWT signatures and claims; no live revocation lookup
- Revocation endpoint — submit a token
jtito Grantex; local verifiers still need synchronized revocation state - Grantex calls — authorization, exchange, refresh, and revoke handlers call the supplied SDK client, subject to the limitations above