|
| 1 | +--- |
| 2 | +title: MCP Authentication |
| 3 | +hide_title: true |
| 4 | +sidebar_position: 8 |
| 5 | +pagination_next: null |
| 6 | +pagination_prev: null |
| 7 | +description: >- |
| 8 | + Authenticate MCP server actions using the SuperTokens MCP plugin. |
| 9 | +category: authentication |
| 10 | +recipe: oauth2 |
| 11 | +page_type: tutorial |
| 12 | +--- |
| 13 | + |
| 14 | +# Authenticate MCP Servers |
| 15 | + |
| 16 | +## Overview |
| 17 | + |
| 18 | +This guide explains how to authenticate Model Context Protocol (MCP) Servers using **SuperTokens**. |
| 19 | +The instructions make use of the `plugins` functionality. |
| 20 | +It is a new way to abstract common functionalities into a reusable package. |
| 21 | + |
| 22 | +## Before you start |
| 23 | + |
| 24 | +<PaidFeatureCallout /> |
| 25 | + |
| 26 | +The [MCP authentication flow](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) complies with the OAuth2 specifications. |
| 27 | +This means that you will have to use the `OAuth2` recipe in your configuration which is a paid feature. |
| 28 | + |
| 29 | +The functionality is only available alongside the `node` SDK at the moment. |
| 30 | +Keep in mind that the feature is currently in beta and might be subject to breaking changes. |
| 31 | + |
| 32 | +## Steps |
| 33 | + |
| 34 | +### 1. Install the plugin |
| 35 | + |
| 36 | +Add the `supertokens-mcp-plugin` package to your project. |
| 37 | + |
| 38 | +<Tabs> |
| 39 | + <Tab value="npm" label="npm"> |
| 40 | + ```bash |
| 41 | + npm i -s supertokens-mcp-plugin |
| 42 | + ``` |
| 43 | + </Tab> |
| 44 | + <Tab value="yarn" label="yarn"> |
| 45 | + ```bash |
| 46 | + yarn add supertokens-mcp-plugin |
| 47 | + ``` |
| 48 | + </Tab> |
| 49 | + <Tab value="pnpm" label="pnpm"> |
| 50 | + ```bash |
| 51 | + pnpm add supertokens-auth-react supertokens-web-js |
| 52 | + ``` |
| 53 | + </Tab> |
| 54 | +</Tabs> |
| 55 | + |
| 56 | + |
| 57 | +### 2. Add the MCP server |
| 58 | + |
| 59 | +Use the `SuperTokensMcpServer` class when in your implementation. |
| 60 | +The class extends the base MCP server exposed by the `@modelcontextprotocol/sdk`, and adds custom authentication logic on top of it. |
| 61 | + |
| 62 | +You can authorize the client requests in two different ways. |
| 63 | +By using the standard [claim validators](/docs/additional-verification/session-verification/claim-validation). |
| 64 | +Or you can write your own custom validation logic in the `validateTokenPayload` function. |
| 65 | + |
| 66 | +The authentication state can be accessed inside a tool call through the second function argument, `extra.authInfo`. |
| 67 | + |
| 68 | +```ts |
| 69 | +import UserRoles, { UserRoleClaim } from "supertokens-node/recipe/userroles"; |
| 70 | +import OAuth2Provider from "supertokens-node/recipe/oauth2provider"; |
| 71 | +import type { TypeInput } from "supertokens-node/types"; |
| 72 | +import { z } from "zod"; |
| 73 | +import SuperTokensMcpPlugin, { |
| 74 | + SuperTokensMcpServer, |
| 75 | +} from "supertokens-mcp-plugin"; |
| 76 | +import SuperTokens from "supertokens-node"; |
| 77 | + |
| 78 | +const server = new SuperTokensMcpServer({ |
| 79 | + name: "example-mcp", |
| 80 | + version: "1.0.0", |
| 81 | + path: "/mcp", |
| 82 | + validateTokenPayload: async (_accessTokenPayload, _userContext) => { |
| 83 | + // You can check the acccess token payload for any specific values |
| 84 | + return { |
| 85 | + status: "OK", |
| 86 | + }; |
| 87 | + }, |
| 88 | + // By default, you can use calim validators to determine who can access the MCP server |
| 89 | + claimValidators: [UserRoleClaim.validators.includes("admin")], |
| 90 | +}); |
| 91 | + |
| 92 | + |
| 93 | +server.registerTool( |
| 94 | + "session-info", |
| 95 | + { |
| 96 | + inputSchema: {}, |
| 97 | + description: "Get session information", |
| 98 | + }, |
| 99 | + async (_args, extra) => { |
| 100 | + return { |
| 101 | + content: [ |
| 102 | + { |
| 103 | + type: "text", |
| 104 | + text: JSON.stringify(extra.authInfo), |
| 105 | + }, |
| 106 | + ], |
| 107 | + }; |
| 108 | + } |
| 109 | +); |
| 110 | + |
| 111 | +``` |
| 112 | + |
| 113 | +### 3. Update the SDK initialization code |
| 114 | + |
| 115 | +Now that you have created your server include it in the SuperTokens SDK configuration. |
| 116 | +This way, the SDK middleware will expose your new endpoint and authenticate each request. |
| 117 | + |
| 118 | +```ts |
| 119 | +import supertokens from "supertokens-node"; |
| 120 | +import SuperTokensMcpPlugin, { |
| 121 | + SuperTokensMcpServer, |
| 122 | +} from "supertokens-mcp-plugin"; |
| 123 | + |
| 124 | +// The server that you have previously created |
| 125 | +const server = new SuperTokensMcpServer({}); |
| 126 | + |
| 127 | +supertokens.init({ |
| 128 | + supertokens: { |
| 129 | + connectionURI: "<SUPERTOKENS_CONNECTION_URI>", |
| 130 | + apiKey: "<SUPERTOKENS_API_KEY>", |
| 131 | + }, |
| 132 | + appInfo: { |
| 133 | + appName: "<APP_NAME>", |
| 134 | + apiDomain: "<API_DOMAIN>", |
| 135 | + websiteDomain: "<WEBSITE_DOMAIN>", |
| 136 | + apiBasePath: "<API_BASE_PATH>", |
| 137 | + websiteBasePath: "<WEBSITE_BASE_PATH>", |
| 138 | + }, |
| 139 | + recipeList: [ |
| 140 | + // Include your existing recipes here |
| 141 | + // The OAuth2Provider recipe is required for the MCP authorization process |
| 142 | + OAuth2Provider.init(), |
| 143 | + ], |
| 144 | + experimental: { |
| 145 | + plugins: [ |
| 146 | + SuperTokensMcpPlugin.init({ |
| 147 | + mcpServers: [server], |
| 148 | + }), |
| 149 | + ], |
| 150 | + }, |
| 151 | +}); |
| 152 | +``` |
| 153 | + |
| 154 | + |
0 commit comments