Skip to main content

Interface: McpAuthOptions

Defined in: index.ts:33

Authentication options for the MCP endpoint. Verification runs through @ttoss/http-server-auth's oauth strategy; supply either a Cognito user pool or a custom verifyToken.

Properties

authorizationServerUrl?

optional authorizationServerUrl?: string

Defined in: index.ts:64

URL of the OAuth Authorization Server that issues tokens for this resource.


cognitoUserPool?

optional cognitoUserPool?: CognitoUserPoolConfig

Defined in: index.ts:35

Amazon Cognito user pool config; a CognitoJwtVerifier is built from it.


publicMethods?

optional publicMethods?: string[]

Defined in: index.ts:51

JSON-RPC methods (read from body.method) that bypass verification.

Default

['initialize', 'tools/list']

requiredScopes?

optional requiredScopes?: string[]

Defined in: index.ts:46

Scopes that must all be present on the token, else 403. verifyToken may return either scope: string (space-separated) or scopes: string[]; both are normalised internally.


resourceMetadataUrl?

optional resourceMetadataUrl?: string

Defined in: index.ts:56

When set, a 401 carries WWW-Authenticate: Bearer resource_metadata="…" (RFC 9728) so MCP clients can discover the authorization server.


resourceServerUrl?

optional resourceServerUrl?: string

Defined in: index.ts:62

URL of this MCP server, surfaced in the OAuth Protected Resource Metadata response. Both this and authorizationServerUrl must be set to serve /.well-known/oauth-protected-resource.


verifyToken?

optional verifyToken?: (token) => Promise<unknown>

Defined in: index.ts:40

Custom token verifier for non-Cognito providers (Auth0, Keycloak, your own JWTs, opaque tokens). Resolve with the verified payload, or throw to reject.

Parameters

ParameterType
tokenstring

Returns

Promise<unknown>