This guide explains how OAuth authentication works in MCP servers created with the --oauth option.
This server uses standard OIDC (OpenID Connect) for authentication. The process may need adaptation based on your OAuth provider.
The MCP server needs two environment variables:
| Variable | Required | Description |
|---|---|---|
OAUTH_ISSUER_URL |
Yes | Your OIDC provider's base URL |
OAUTH_AUDIENCE |
No | Expected aud claim in tokens |
- Server fetches OIDC discovery document from
{OAUTH_ISSUER_URL}/.well-known/openid-configuration - Extracts
authorization_endpoint,token_endpoint, andjwks_uri - Creates a JWKS verifier using the provider's public signing keys
- Exposes OAuth metadata at
/.well-known/oauth-protected-resourcefor MCP clients
If the discovery document or JWKS endpoint is unreachable, the server will fail to start with a descriptive error.
When a client sends a request with Authorization: Bearer <token>:
- Server verifies the token is a JWT (three base64-encoded parts separated by dots)
- Validates the signature using the provider's public keys (JWKS)
- Checks the
iss(issuer) claim matchesOAUTH_ISSUER_URL - Checks the
aud(audience) claim ifOAUTH_AUDIENCEis configured - Verifies the token has not expired (
expclaim)
Your OIDC provider must:
- Support OIDC discovery (
/.well-known/openid-configuration) - Expose a JWKS endpoint with public signing keys
- Issue JWT access tokens (not opaque tokens)
- Sign tokens with keys available in the JWKS
Different providers may require additional configuration:
- Creating an "API" or "Resource Server" - Some providers (like Auth0) only issue JWT access tokens when an audience/API is configured
- Configuring an
audienceparameter - Clients may need to include this when requesting tokens - Pre-registering OAuth clients - If your provider doesn't support Dynamic Client Registration (DCR), clients must be manually registered
Consult your provider's documentation to configure these settings.
-
Start your MCP server:
npm run dev
-
Check the OAuth metadata endpoint:
curl http://localhost:3000/.well-known/oauth-protected-resource
-
Make an authenticated request with a valid token:
curl -X POST http://localhost:3000/mcp \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -d '{"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}},"id":1}'
Your provider is returning opaque tokens instead of JWTs. Opaque tokens are short random strings that cannot be validated locally.
Solution: Configure your provider to issue JWT access tokens. This often requires:
- Creating an API/Resource Server in your provider's dashboard
- Including the
audienceparameter when requesting tokens
The server cannot reach your OAuth provider's discovery endpoint.
Check:
OAUTH_ISSUER_URLis correct- The URL
{OAUTH_ISSUER_URL}/.well-known/openid-configurationis accessible - Your OAuth provider is running
- Network/firewall settings allow the connection
The server cannot reach your provider's public key endpoint.
Check:
- The JWKS URI from the discovery document is accessible
- Network/firewall settings allow the connection
The iss claim in the token doesn't match OAUTH_ISSUER_URL.
Check:
- Some providers include a trailing slash, others don't
- Try adjusting
OAUTH_ISSUER_URLto match exactly what the provider puts in tokens
The aud claim in the token doesn't match OAUTH_AUDIENCE.
Check:
- The audience value configured in your provider
- If you don't need audience validation, remove
OAUTH_AUDIENCEfrom your environment
The token's exp claim is in the past.
Solution: Request a new token from your OAuth provider.