@modelcontextprotocol/sdk
    Preparing search index...

    Interface OAuthServerProvider

    Implements an end-to-end OAuth server.

    interface OAuthServerProvider {
        skipLocalPkceValidation?: boolean;
        get clientsStore(): OAuthRegisteredClientsStore;
        authorize(
            client: {
                client_id: string;
                client_id_issued_at?: number;
                client_name?: string;
                client_secret?: string;
                client_secret_expires_at?: number;
                client_uri?: string;
                contacts?: string[];
                grant_types?: string[];
                jwks?: any;
                jwks_uri?: string;
                logo_uri?: string;
                policy_uri?: string;
                redirect_uris: string[];
                response_types?: string[];
                scope?: string;
                software_id?: string;
                software_statement?: string;
                software_version?: string;
                token_endpoint_auth_method?: string;
                tos_uri?: string;
            },
            params: AuthorizationParams,
            res: Response,
        ): Promise<void>;
        challengeForAuthorizationCode(
            client: {
                client_id: string;
                client_id_issued_at?: number;
                client_name?: string;
                client_secret?: string;
                client_secret_expires_at?: number;
                client_uri?: string;
                contacts?: string[];
                grant_types?: string[];
                jwks?: any;
                jwks_uri?: string;
                logo_uri?: string;
                policy_uri?: string;
                redirect_uris: string[];
                response_types?: string[];
                scope?: string;
                software_id?: string;
                software_statement?: string;
                software_version?: string;
                token_endpoint_auth_method?: string;
                tos_uri?: string;
            },
            authorizationCode: string,
        ): Promise<string>;
        exchangeAuthorizationCode(
            client: {
                client_id: string;
                client_id_issued_at?: number;
                client_name?: string;
                client_secret?: string;
                client_secret_expires_at?: number;
                client_uri?: string;
                contacts?: string[];
                grant_types?: string[];
                jwks?: any;
                jwks_uri?: string;
                logo_uri?: string;
                policy_uri?: string;
                redirect_uris: string[];
                response_types?: string[];
                scope?: string;
                software_id?: string;
                software_statement?: string;
                software_version?: string;
                token_endpoint_auth_method?: string;
                tos_uri?: string;
            },
            authorizationCode: string,
            codeVerifier?: string,
            redirectUri?: string,
            resource?: URL,
        ): Promise<
            {
                access_token: string;
                expires_in?: number;
                refresh_token?: string;
                scope?: string;
                token_type: string;
            },
        >;
        exchangeRefreshToken(
            client: {
                client_id: string;
                client_id_issued_at?: number;
                client_name?: string;
                client_secret?: string;
                client_secret_expires_at?: number;
                client_uri?: string;
                contacts?: string[];
                grant_types?: string[];
                jwks?: any;
                jwks_uri?: string;
                logo_uri?: string;
                policy_uri?: string;
                redirect_uris: string[];
                response_types?: string[];
                scope?: string;
                software_id?: string;
                software_statement?: string;
                software_version?: string;
                token_endpoint_auth_method?: string;
                tos_uri?: string;
            },
            refreshToken: string,
            scopes?: string[],
            resource?: URL,
        ): Promise<
            {
                access_token: string;
                expires_in?: number;
                refresh_token?: string;
                scope?: string;
                token_type: string;
            },
        >;
        revokeToken?(
            client: {
                client_id: string;
                client_id_issued_at?: number;
                client_name?: string;
                client_secret?: string;
                client_secret_expires_at?: number;
                client_uri?: string;
                contacts?: string[];
                grant_types?: string[];
                jwks?: any;
                jwks_uri?: string;
                logo_uri?: string;
                policy_uri?: string;
                redirect_uris: string[];
                response_types?: string[];
                scope?: string;
                software_id?: string;
                software_statement?: string;
                software_version?: string;
                token_endpoint_auth_method?: string;
                tos_uri?: string;
            },
            request: { token: string; token_type_hint?: string },
        ): Promise<void>;
        verifyAccessToken(token: string): Promise<AuthInfo>;
    }

    Implemented by

    Index

    Properties

    skipLocalPkceValidation?

    Accessors

    clientsStore

    Methods

    authorize challengeForAuthorizationCode exchangeAuthorizationCode exchangeRefreshToken revokeToken? verifyAccessToken

    Properties

    skipLocalPkceValidation?: boolean

    Whether to skip local PKCE validation.

    If true, the server will not perform PKCE validation locally and will pass the code_verifier to the upstream server.

    NOTE: This should only be true if the upstream server is performing the actual PKCE validation.

    Accessors

    Methods

    • Begins the authorization flow, which can either be implemented by this server itself or via redirection to a separate authorization server.

      This server must eventually issue a redirect with an authorization response or an error response to the given redirect URI. Per OAuth 2.1:

      • In the successful case, the redirect MUST include the code and state (if present) query parameters.
      • In the error case, the redirect MUST include the error query parameter, and MAY include an optional error_description query parameter.

      Parameters

      • client: {
            client_id: string;
            client_id_issued_at?: number;
            client_name?: string;
            client_secret?: string;
            client_secret_expires_at?: number;
            client_uri?: string;
            contacts?: string[];
            grant_types?: string[];
            jwks?: any;
            jwks_uri?: string;
            logo_uri?: string;
            policy_uri?: string;
            redirect_uris: string[];
            response_types?: string[];
            scope?: string;
            software_id?: string;
            software_statement?: string;
            software_version?: string;
            token_endpoint_auth_method?: string;
            tos_uri?: string;
        }
      • params: AuthorizationParams
      • res: Response

      Returns Promise<void>

    • Returns the codeChallenge that was used when the indicated authorization began.

      Parameters

      • client: {
            client_id: string;
            client_id_issued_at?: number;
            client_name?: string;
            client_secret?: string;
            client_secret_expires_at?: number;
            client_uri?: string;
            contacts?: string[];
            grant_types?: string[];
            jwks?: any;
            jwks_uri?: string;
            logo_uri?: string;
            policy_uri?: string;
            redirect_uris: string[];
            response_types?: string[];
            scope?: string;
            software_id?: string;
            software_statement?: string;
            software_version?: string;
            token_endpoint_auth_method?: string;
            tos_uri?: string;
        }
      • authorizationCode: string

      Returns Promise<string>

    • Exchanges an authorization code for an access token.

      Parameters

      • client: {
            client_id: string;
            client_id_issued_at?: number;
            client_name?: string;
            client_secret?: string;
            client_secret_expires_at?: number;
            client_uri?: string;
            contacts?: string[];
            grant_types?: string[];
            jwks?: any;
            jwks_uri?: string;
            logo_uri?: string;
            policy_uri?: string;
            redirect_uris: string[];
            response_types?: string[];
            scope?: string;
            software_id?: string;
            software_statement?: string;
            software_version?: string;
            token_endpoint_auth_method?: string;
            tos_uri?: string;
        }
      • authorizationCode: string
      • OptionalcodeVerifier: string
      • OptionalredirectUri: string
      • Optionalresource: URL

      Returns Promise<
          {
              access_token: string;
              expires_in?: number;
              refresh_token?: string;
              scope?: string;
              token_type: string;
          },
      >

    • Exchanges a refresh token for an access token.

      Parameters

      • client: {
            client_id: string;
            client_id_issued_at?: number;
            client_name?: string;
            client_secret?: string;
            client_secret_expires_at?: number;
            client_uri?: string;
            contacts?: string[];
            grant_types?: string[];
            jwks?: any;
            jwks_uri?: string;
            logo_uri?: string;
            policy_uri?: string;
            redirect_uris: string[];
            response_types?: string[];
            scope?: string;
            software_id?: string;
            software_statement?: string;
            software_version?: string;
            token_endpoint_auth_method?: string;
            tos_uri?: string;
        }
      • refreshToken: string
      • Optionalscopes: string[]
      • Optionalresource: URL

      Returns Promise<
          {
              access_token: string;
              expires_in?: number;
              refresh_token?: string;
              scope?: string;
              token_type: string;
          },
      >

    • Revokes an access or refresh token. If unimplemented, token revocation is not supported (not recommended).

      If the given token is invalid or already revoked, this method should do nothing.

      Parameters

      • client: {
            client_id: string;
            client_id_issued_at?: number;
            client_name?: string;
            client_secret?: string;
            client_secret_expires_at?: number;
            client_uri?: string;
            contacts?: string[];
            grant_types?: string[];
            jwks?: any;
            jwks_uri?: string;
            logo_uri?: string;
            policy_uri?: string;
            redirect_uris: string[];
            response_types?: string[];
            scope?: string;
            software_id?: string;
            software_statement?: string;
            software_version?: string;
            token_endpoint_auth_method?: string;
            tos_uri?: string;
        }
      • request: { token: string; token_type_hint?: string }

      Returns Promise<void>

    Settings

    Member Visibility

    On This Page

    Properties
    Accessors
    Methods