Interface: McpAuthOptions
Defined in: index.ts:33
Authentication options for the MCP endpoint. Verification runs through
@ttoss/http-server-auth's oauth strategy; supply either a Cognito user
pool or a custom verifyToken.
Properties
authorizationServerUrl?
optionalauthorizationServerUrl?:string
Defined in: index.ts:64
URL of the OAuth Authorization Server that issues tokens for this resource.
cognitoUserPool?
optionalcognitoUserPool?:CognitoUserPoolConfig
Defined in: index.ts:35
Amazon Cognito user pool config; a CognitoJwtVerifier is built from it.
publicMethods?
optionalpublicMethods?:string[]
Defined in: index.ts:51
JSON-RPC methods (read from body.method) that bypass verification.
Default
['initialize', 'tools/list']
requiredScopes?
optionalrequiredScopes?:string[]
Defined in: index.ts:46
Scopes that must all be present on the token, else 403.
verifyToken may return either scope: string (space-separated) or
scopes: string[]; both are normalised internally.
resourceMetadataUrl?
optionalresourceMetadataUrl?:string
Defined in: index.ts:56
When set, a 401 carries WWW-Authenticate: Bearer resource_metadata="…"
(RFC 9728) so MCP clients can discover the authorization server.
resourceServerUrl?
optionalresourceServerUrl?:string
Defined in: index.ts:62
URL of this MCP server, surfaced in the OAuth Protected Resource Metadata
response. Both this and authorizationServerUrl must be set to serve
/.well-known/oauth-protected-resource.
verifyToken?
optionalverifyToken?: (token) =>Promise<unknown>
Defined in: index.ts:40
Custom token verifier for non-Cognito providers (Auth0, Keycloak, your own JWTs, opaque tokens). Resolve with the verified payload, or throw to reject.
Parameters
| Parameter | Type |
|---|---|
token | string |
Returns
Promise<unknown>