Interface: McpAuthOptions
Defined in: index.ts:213
Authentication options for the MCP router.
Supply either cognitoUserPool (uses CognitoJwtVerifier from
@ttoss/auth-core) or a custom verifyToken function — not both.
Properties
authorizationServerUrl?
optionalauthorizationServerUrl?:string
Defined in: index.ts:245
URL of the OAuth Authorization Server that issues tokens for this resource.
Enables /.well-known/oauth-protected-resource for MCP client auto-discovery
(RFC 9728) when combined with resourceServerUrl.
cognitoUserPool?
optionalcognitoUserPool?:CognitoUserPoolConfig
Defined in: index.ts:218
Amazon Cognito user pool config. When provided, the router creates a
CognitoJwtVerifier and validates every incoming Bearer token against it.
requiredScopes?
optionalrequiredScopes?:string[]
Defined in: index.ts:233
Router-level scope guard. All listed scopes must be present on the token for any MCP request to be allowed. Returns 403 if any scope is missing.
Cognito encodes scopes as a space-separated string in payload.scope.
Example
['mcp:access']
resourceServerUrl?
optionalresourceServerUrl?:string
Defined in: index.ts:239
URL of this MCP server, used in the OAuth Protected Resource Metadata
response (/.well-known/oauth-protected-resource). Both this field and
authorizationServerUrl must be provided to enable the endpoint.
verifyToken?
optionalverifyToken?: (token) =>Promise<unknown>
Defined in: index.ts:224
Custom token verifier for non-Cognito providers (Auth0, Keycloak, …). Receives the raw Bearer token string. Should resolve with the verified payload or reject/throw on failure.
Parameters
| Parameter | Type |
|---|---|
token | string |
Returns
Promise<unknown>