@modelcontextprotocol/sdk
    Preparing search index...

    Interface OAuthClientProvider

    Implements an end-to-end OAuth client to be used with one MCP server.

    This client relies upon a concept of an authorized "session," the exact meaning of which is application-defined. Tokens, authorization codes, and code verifiers should not cross different sessions.

    interface OAuthClientProvider {
        get clientMetadata(): {
            client_name?: string;
            client_uri?: string;
            contacts?: string[];
            grant_types?: string[];
            jwks?: any;
            jwks_uri?: string;
            logo_uri?: string;
            policy_uri?: string;
            redirect_uris: string[];
            response_types?: string[];
            scope?: string;
            software_id?: string;
            software_statement?: string;
            software_version?: string;
            token_endpoint_auth_method?: string;
            tos_uri?: string;
        };
        get redirectUrl(): string | URL;
        addClientAuthentication?(
            headers: Headers,
            params: URLSearchParams,
            url: string | URL,
            metadata?: AuthorizationServerMetadata,
        ): void | Promise<void>;
        clientInformation(): | {
            client_id: string;
            client_id_issued_at?: number;
            client_secret?: string;
            client_secret_expires_at?: number;
        }
        | Promise<
            | {
                client_id: string;
                client_id_issued_at?: number;
                client_secret?: string;
                client_secret_expires_at?: number;
            }
            | undefined,
        >
        | undefined;
        codeVerifier(): string | Promise<string>;
        invalidateCredentials?(
            scope: "all" | "client" | "tokens" | "verifier",
        ): void | Promise<void>;
        redirectToAuthorization(authorizationUrl: URL): void | Promise<void>;
        saveClientInformation?(
            clientInformation: {
                client_id: string;
                client_id_issued_at?: number;
                client_name?: string;
                client_secret?: string;
                client_secret_expires_at?: number;
                client_uri?: string;
                contacts?: string[];
                grant_types?: string[];
                jwks?: any;
                jwks_uri?: string;
                logo_uri?: string;
                policy_uri?: string;
                redirect_uris: string[];
                response_types?: string[];
                scope?: string;
                software_id?: string;
                software_statement?: string;
                software_version?: string;
                token_endpoint_auth_method?: string;
                tos_uri?: string;
            },
        ): void
        | Promise<void>;
        saveCodeVerifier(codeVerifier: string): void | Promise<void>;
        saveTokens(
            tokens: {
                access_token: string;
                expires_in?: number;
                id_token?: string;
                refresh_token?: string;
                scope?: string;
                token_type: string;
            },
        ): void
        | Promise<void>;
        state?(): string | Promise<string>;
        tokens(): | {
            access_token: string;
            expires_in?: number;
            id_token?: string;
            refresh_token?: string;
            scope?: string;
            token_type: string;
        }
        | Promise<
            | {
                access_token: string;
                expires_in?: number;
                id_token?: string;
                refresh_token?: string;
                scope?: string;
                token_type: string;
            }
            | undefined,
        >
        | undefined;
        validateResourceURL?(
            serverUrl: string | URL,
            resource?: string,
        ): Promise<URL | undefined>;
    }
    Index

    Accessors

    clientMetadata redirectUrl

    Methods

    addClientAuthentication? clientInformation codeVerifier invalidateCredentials? redirectToAuthorization saveClientInformation? saveCodeVerifier saveTokens state? tokens validateResourceURL?

    Accessors

    • get clientMetadata(): {
          client_name?: string;
          client_uri?: string;
          contacts?: string[];
          grant_types?: string[];
          jwks?: any;
          jwks_uri?: string;
          logo_uri?: string;
          policy_uri?: string;
          redirect_uris: string[];
          response_types?: string[];
          scope?: string;
          software_id?: string;
          software_statement?: string;
          software_version?: string;
          token_endpoint_auth_method?: string;
          tos_uri?: string;
      }

      Metadata about this OAuth client.

      Returns {
          client_name?: string;
          client_uri?: string;
          contacts?: string[];
          grant_types?: string[];
          jwks?: any;
          jwks_uri?: string;
          logo_uri?: string;
          policy_uri?: string;
          redirect_uris: string[];
          response_types?: string[];
          scope?: string;
          software_id?: string;
          software_statement?: string;
          software_version?: string;
          token_endpoint_auth_method?: string;
          tos_uri?: string;
      }

    • get redirectUrl(): string | URL

      The URL to redirect the user agent to after authorization.

      Returns string | URL

    Methods

    • Adds custom client authentication to OAuth token requests.

      This optional method allows implementations to customize how client credentials are included in token exchange and refresh requests. When provided, this method is called instead of the default authentication logic, giving full control over the authentication mechanism.

      Common use cases include:

      • Supporting authentication methods beyond the standard OAuth 2.0 methods
      • Adding custom headers for proprietary authentication schemes
      • Implementing client assertion-based authentication (e.g., JWT bearer tokens)

      Parameters

      • headers: Headers

        The request headers (can be modified to add authentication)

      • params: URLSearchParams

        The request body parameters (can be modified to add credentials)

      • url: string | URL

        The token endpoint URL being called

      • Optionalmetadata: AuthorizationServerMetadata

        Optional OAuth metadata for the server, which may include supported authentication methods

      Returns void | Promise<void>

    • Loads information about this OAuth client, as registered already with the server, or returns undefined if the client is not registered with the server.

      Returns
          | {
              client_id: string;
              client_id_issued_at?: number;
              client_secret?: string;
              client_secret_expires_at?: number;
          }
          | Promise<
              | {
                  client_id: string;
                  client_id_issued_at?: number;
                  client_secret?: string;
                  client_secret_expires_at?: number;
              }
              | undefined,
          >
          | undefined

    • Loads the PKCE code verifier for the current session, necessary to validate the authorization result.

      Returns string | Promise<string>

    • If implemented, provides a way for the client to invalidate (e.g. delete) the specified credentials, in the case where the server has indicated that they are no longer valid. This avoids requiring the user to intervene manually.

      Parameters

      • scope: "all" | "client" | "tokens" | "verifier"

      Returns void | Promise<void>

    • Invoked to redirect the user agent to the given URL to begin the authorization flow.

      Parameters

      • authorizationUrl: URL

      Returns void | Promise<void>

    • If implemented, this permits the OAuth client to dynamically register with the server. Client information saved this way should later be read via clientInformation().

      This method is not required to be implemented if client information is statically known (e.g., pre-registered).

      Parameters

      • clientInformation: {
            client_id: string;
            client_id_issued_at?: number;
            client_name?: string;
            client_secret?: string;
            client_secret_expires_at?: number;
            client_uri?: string;
            contacts?: string[];
            grant_types?: string[];
            jwks?: any;
            jwks_uri?: string;
            logo_uri?: string;
            policy_uri?: string;
            redirect_uris: string[];
            response_types?: string[];
            scope?: string;
            software_id?: string;
            software_statement?: string;
            software_version?: string;
            token_endpoint_auth_method?: string;
            tos_uri?: string;
        }

      Returns void | Promise<void>

    • Saves a PKCE code verifier for the current session, before redirecting to the authorization flow.

      Parameters

      • codeVerifier: string

      Returns void | Promise<void>

    • Stores new OAuth tokens for the current session, after a successful authorization.

      Parameters

      • tokens: {
            access_token: string;
            expires_in?: number;
            id_token?: string;
            refresh_token?: string;
            scope?: string;
            token_type: string;
        }

      Returns void | Promise<void>

    • Returns a OAuth2 state parameter.

      Returns string | Promise<string>

    • Loads any existing OAuth tokens for the current session, or returns undefined if there are no saved tokens.

      Returns
          | {
              access_token: string;
              expires_in?: number;
              id_token?: string;
              refresh_token?: string;
              scope?: string;
              token_type: string;
          }
          | Promise<
              | {
                  access_token: string;
                  expires_in?: number;
                  id_token?: string;
                  refresh_token?: string;
                  scope?: string;
                  token_type: string;
              }
              | undefined,
          >
          | undefined

    • If defined, overrides the selection and validation of the RFC 8707 Resource Indicator. If left undefined, default validation behavior will be used.

      Implementations must verify the returned resource matches the MCP server.

      Parameters

      • serverUrl: string | URL
      • Optionalresource: string

      Returns Promise<URL | undefined>

    Settings

    Member Visibility

    On This Page

    Accessors
    Methods