Interface OAuthClientProvider

Implements an end-to-end OAuth client to be used with one MCP server.

This client relies upon a concept of an authorized "session," the exact meaning of which is application-defined. Tokens, authorization codes, and code verifiers should not cross different sessions.

interface OAuthClientProvider {
    get clientMetadata(): {
        client_name?: string;
        client_uri?: string;
        contacts?: string[];
        grant_types?: string[];
        jwks?: any;
        jwks_uri?: string;
        logo_uri?: string;
        policy_uri?: string;
        redirect_uris: string[];
        response_types?: string[];
        scope?: string;
        software_id?: string;
        software_statement?: string;
        software_version?: string;
        token_endpoint_auth_method?: string;
        tos_uri?: string;
    };
    get redirectUrl(): string | URL;
    clientInformation(): | {
        client_id: string;
        client_id_issued_at?: number;
        client_secret?: string;
        client_secret_expires_at?: number;
    }
    | Promise<
        | {
            client_id: string;
            client_id_issued_at?: number;
            client_secret?: string;
            client_secret_expires_at?: number;
        }
        | undefined,
    >
    | undefined;
    codeVerifier(): string | Promise<string>;
    redirectToAuthorization(authorizationUrl: URL): void | Promise<void>;
    saveClientInformation?(
        clientInformation: {
            client_id: string;
            client_id_issued_at?: number;
            client_name?: string;
            client_secret?: string;
            client_secret_expires_at?: number;
            client_uri?: string;
            contacts?: string[];
            grant_types?: string[];
            jwks?: any;
            jwks_uri?: string;
            logo_uri?: string;
            policy_uri?: string;
            redirect_uris: string[];
            response_types?: string[];
            scope?: string;
            software_id?: string;
            software_statement?: string;
            software_version?: string;
            token_endpoint_auth_method?: string;
            tos_uri?: string;
        },
    ): void
    | Promise<void>;
    saveCodeVerifier(codeVerifier: string): void | Promise<void>;
    saveTokens(
        tokens: {
            access_token: string;
            expires_in?: number;
            refresh_token?: string;
            scope?: string;
            token_type: string;
        },
    ): void
    | Promise<void>;
    state?(): string | Promise<string>;
    tokens(): | {
        access_token: string;
        expires_in?: number;
        refresh_token?: string;
        scope?: string;
        token_type: string;
    }
    | Promise<
        | {
            access_token: string;
            expires_in?: number;
            refresh_token?: string;
            scope?: string;
            token_type: string;
        }
        | undefined,
    >
    | undefined;
    validateResourceURL?(
        serverUrl: string | URL,
        resource?: string,
    ): Promise<URL | undefined>;
}

Index

Accessors

clientMetadata redirectUrl

Methods

clientInformation codeVerifier redirectToAuthorization saveClientInformation? saveCodeVerifier saveTokens state? tokens validateResourceURL?

Accessors

clientMetadata

get clientMetadata(): {
    client_name?: string;
    client_uri?: string;
    contacts?: string[];
    grant_types?: string[];
    jwks?: any;
    jwks_uri?: string;
    logo_uri?: string;
    policy_uri?: string;
    redirect_uris: string[];
    response_types?: string[];
    scope?: string;
    software_id?: string;
    software_statement?: string;
    software_version?: string;
    token_endpoint_auth_method?: string;
    tos_uri?: string;
}
Metadata about this OAuth client.

Returns {
    client_name?: string;
    client_uri?: string;
    contacts?: string[];
    grant_types?: string[];
    jwks?: any;
    jwks_uri?: string;
    logo_uri?: string;
    policy_uri?: string;
    redirect_uris: string[];
    response_types?: string[];
    scope?: string;
    software_id?: string;
    software_statement?: string;
    software_version?: string;
    token_endpoint_auth_method?: string;
    tos_uri?: string;
}
- Defined in src/client/auth.ts:23

redirectUrl

get redirectUrl(): string | URL
The URL to redirect the user agent to after authorization.

Returns string | URL
- Defined in src/client/auth.ts:18

Methods

clientInformation

clientInformation(): | {
    client_id: string;
    client_id_issued_at?: number;
    client_secret?: string;
    client_secret_expires_at?: number;
}
| Promise<
    | {
        client_id: string;
        client_id_issued_at?: number;
        client_secret?: string;
        client_secret_expires_at?: number;
    }
    | undefined,
>
| undefined
Loads information about this OAuth client, as registered already with the server, or returns undefined if the client is not registered with the server.

Returns
    | {
        client_id: string;
        client_id_issued_at?: number;
        client_secret?: string;
        client_secret_expires_at?: number;
    }
    | Promise<
        | {
            client_id: string;
            client_id_issued_at?: number;
            client_secret?: string;
            client_secret_expires_at?: number;
        }
        | undefined,
    >
    | undefined
- Defined in src/client/auth.ts:35

codeVerifier

codeVerifier(): string | Promise<string>
Loads the PKCE code verifier for the current session, necessary to validate the authorization result.

Returns string | Promise<string>
- Defined in src/client/auth.ts:74

redirectToAuthorization

redirectToAuthorization(authorizationUrl: URL): void | Promise<void>
Invoked to redirect the user agent to the given URL to begin the authorization flow.
Parameters
- authorizationUrl: URL
Returns void | Promise<void>
- Defined in src/client/auth.ts:62

`Optional`saveClientInformation

saveClientInformation?(
    clientInformation: {
        client_id: string;
        client_id_issued_at?: number;
        client_name?: string;
        client_secret?: string;
        client_secret_expires_at?: number;
        client_uri?: string;
        contacts?: string[];
        grant_types?: string[];
        jwks?: any;
        jwks_uri?: string;
        logo_uri?: string;
        policy_uri?: string;
        redirect_uris: string[];
        response_types?: string[];
        scope?: string;
        software_id?: string;
        software_statement?: string;
        software_version?: string;
        token_endpoint_auth_method?: string;
        tos_uri?: string;
    },
): void
| Promise<void>
If implemented, this permits the OAuth client to dynamically register with the server. Client information saved this way should later be read via clientInformation().

This method is not required to be implemented if client information is statically known (e.g., pre-registered).
Parameters
- clientInformation: {
      client_id: string;
      client_id_issued_at?: number;
      client_name?: string;
      client_secret?: string;
      client_secret_expires_at?: number;
      client_uri?: string;
      contacts?: string[];
      grant_types?: string[];
      jwks?: any;
      jwks_uri?: string;
      logo_uri?: string;
      policy_uri?: string;
      redirect_uris: string[];
      response_types?: string[];
      scope?: string;
      software_id?: string;
      software_statement?: string;
      software_version?: string;
      token_endpoint_auth_method?: string;
      tos_uri?: string;
  }
Returns void | Promise<void>
- Defined in src/client/auth.ts:45

saveCodeVerifier

saveCodeVerifier(codeVerifier: string): void | Promise<void>
Saves a PKCE code verifier for the current session, before redirecting to the authorization flow.
Parameters
- codeVerifier: string
Returns void | Promise<void>
- Defined in src/client/auth.ts:68

saveTokens

saveTokens(
    tokens: {
        access_token: string;
        expires_in?: number;
        refresh_token?: string;
        scope?: string;
        token_type: string;
    },
): void
| Promise<void>
Stores new OAuth tokens for the current session, after a successful authorization.
Parameters
- tokens: {
      access_token: string;
      expires_in?: number;
      refresh_token?: string;
      scope?: string;
      token_type: string;
  }
Returns void | Promise<void>
- Defined in src/client/auth.ts:57

`Optional`state

state?(): string | Promise<string>
Returns a OAuth2 state parameter.

Returns string | Promise<string>
- Defined in src/client/auth.ts:28

tokens

tokens(): | {
    access_token: string;
    expires_in?: number;
    refresh_token?: string;
    scope?: string;
    token_type: string;
}
| Promise<
    | {
        access_token: string;
        expires_in?: number;
        refresh_token?: string;
        scope?: string;
        token_type: string;
    }
    | undefined,
>
| undefined
Loads any existing OAuth tokens for the current session, or returns undefined if there are no saved tokens.

Returns
    | {
        access_token: string;
        expires_in?: number;
        refresh_token?: string;
        scope?: string;
        token_type: string;
    }
    | Promise<
        | {
            access_token: string;
            expires_in?: number;
            refresh_token?: string;
            scope?: string;
            token_type: string;
        }
        | undefined,
    >
    | undefined
- Defined in src/client/auth.ts:51

`Optional`validateResourceURL

validateResourceURL?(
serverUrl: string | URL,
resource?: string,
): Promise<URL | undefined>
If defined, overrides the selection and validation of the RFC 8707 Resource Indicator. If left undefined, default validation behavior will be used.

Implementations must verify the returned resource matches the MCP server.
Parameters
- serverUrl: string | URL
- Optionalresource: string
Returns Promise<URL | undefined>
- Defined in src/client/auth.ts:83

Interface OAuthClientProvider

Index

Accessors

Methods

Accessors

clientMetadata

redirectUrl

Returns string | URL

Methods

clientInformation

codeVerifier

Returns string | Promise<string>

redirectToAuthorization

Parameters

Returns void | Promise<void>

`Optional`saveClientInformation

Parameters

Returns void | Promise<void>

saveCodeVerifier

Parameters

Returns void | Promise<void>

saveTokens

Parameters

Returns void | Promise<void>

`Optional`state

Returns string | Promise<string>

tokens

`Optional`validateResourceURL

Parameters

Returns Promise<URL | undefined>

Settings

On This Page

Interface OAuthClientProvider

Index

Accessors

Methods

Accessors

clientMetadata

redirectUrl

Returns string | URL

Methods

clientInformation

Returns | { client_id: string; client_id_issued_at?: number; client_secret?: string; client_secret_expires_at?: number; } | Promise< | { client_id: string; client_id_issued_at?: number; client_secret?: string; client_secret_expires_at?: number; } | undefined, > | undefined

codeVerifier

Returns string | Promise<string>

redirectToAuthorization

Parameters

Returns void | Promise<void>

OptionalsaveClientInformation

Parameters

Returns void | Promise<void>

saveCodeVerifier

Parameters

Returns void | Promise<void>

saveTokens

Parameters

Returns void | Promise<void>

Optionalstate

Returns string | Promise<string>

tokens

Returns | { access_token: string; expires_in?: number; refresh_token?: string; scope?: string; token_type: string; } | Promise< | { access_token: string; expires_in?: number; refresh_token?: string; scope?: string; token_type: string; } | undefined, > | undefined

OptionalvalidateResourceURL

Parameters

Returns Promise<URL | undefined>

Settings

On This Page

Returns
| {
client_id: string;
client_id_issued_at?: number;
client_secret?: string;
client_secret_expires_at?: number;
}
| Promise<
| {
client_id: string;
client_id_issued_at?: number;
client_secret?: string;
client_secret_expires_at?: number;
}
| undefined,
>
| undefined

`Optional`saveClientInformation

`Optional`state

Returns
| {
access_token: string;
expires_in?: number;
refresh_token?: string;
scope?: string;
token_type: string;
}
| Promise<
| {
access_token: string;
expires_in?: number;
refresh_token?: string;
scope?: string;
token_type: string;
}
| undefined,
>
| undefined

`Optional`validateResourceURL