> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mcp-use.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Overview
> Add OAuth 2.0/2.1 authentication to your MCP server with support for Auth0, Better Auth, WorkOS, Supabase, Keycloak, and custom providers
# Server Authentication
Add enterprise-grade OAuth 2.0/2.1 authentication to your MCP server. Secure your tools with bearer token authentication, implement role-based access control (RBAC), and access authenticated user information in your tool callbacks.
## Quick Start
Use a built-in provider when your identity provider supports remote authentication. Clients register and authenticate directly with the upstream provider - your server only verifies the resulting bearer token.
```typescript theme={null}
import { MCPServer, oauthWorkOSProvider } from 'mcp-use/server'
const server = new MCPServer({
name: 'my-secure-server',
version: '1.0.0',
oauth: oauthWorkOSProvider({
subdomain: process.env.MCP_USE_OAUTH_WORKOS_SUBDOMAIN!, // 'your-company.authkit.app'
})
})
server.tool({
name: 'get-user-profile',
description: 'Get the authenticated user profile',
cb: async (params, context) => {
const user = context.auth.user
return { userId: user.userId, email: user.email, name: user.name }
}
})
await server.listen(3000)
```
Use `oauthProxy` when your provider doesn't support Dynamic Client Registration (Google, GitHub, Okta, Azure AD, etc.). Your server holds pre-registered client credentials and mediates the token exchange.
```typescript theme={null}
import { MCPServer, oauthProxy, jwksVerifier } from 'mcp-use/server'
const server = new MCPServer({
name: 'my-secure-server',
version: '1.0.0',
oauth: oauthProxy({
authEndpoint: 'https://accounts.google.com/o/oauth2/v2/auth',
tokenEndpoint: 'https://oauth2.googleapis.com/token',
issuer: 'https://accounts.google.com',
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
scopes: ['openid', 'email', 'profile'],
extraAuthorizeParams: { access_type: 'offline' },
verifyToken: jwksVerifier({
jwksUrl: 'https://www.googleapis.com/oauth2/v3/certs',
issuer: 'https://accounts.google.com',
audience: process.env.GOOGLE_CLIENT_ID!,
}),
})
})
server.tool({
name: 'get-user-profile',
description: 'Get the authenticated user profile',
cb: async (params, context) => {
const user = context.auth.user
return { userId: user.userId, email: user.email, name: user.name }
}
})
await server.listen(3000)
```
## Providers
Not sure which to use? Use a remote auth provider if your identity provider supports Dynamic Client Registration. If it doesn't, use `oauthProxy`.
### Remote Auth (built-in)
Clients register and authenticate directly with the provider.
* [Auth0](/typescript/server/authentication/providers/auth0) - Full OAuth 2.1 with PKCE and JWKS verification
* [Better Auth](/typescript/server/authentication/providers/better-auth) - Self-hosted OAuth 2.1 via the Better Auth OAuth Provider plugin
* [WorkOS](/typescript/server/authentication/providers/workos) - Enterprise SSO via WorkOS AuthKit
* [Supabase](/typescript/server/authentication/providers/supabase) - Authentication for Supabase projects
* [Keycloak](/typescript/server/authentication/providers/keycloak) - Enterprise SSO with realm roles
* [Custom Provider](/typescript/server/authentication/providers/custom) - Any DCR-capable provider with a custom `verifyToken` function
### OAuth Proxy
For providers that don't support remote client registration - Google, GitHub, Okta, Azure AD, or any provider where you register an application in a dashboard and receive a fixed `clientId`/`clientSecret` - use `oauthProxy`:
* [OAuth Proxy](/typescript/server/authentication/providers/oauth-proxy) - Bridge non-DCR providers with pre-registered client credentials, including ready-to-copy configs for Google, Okta, Azure AD, Auth0, and GitHub.
## How it works
### Remote auth flow
1. Your server exposes `.well-known/*` endpoints that pass through the upstream provider's OAuth metadata - including its `registration_endpoint`.
2. MCP clients fetch that metadata, register themselves directly with the upstream provider, then run the full authorization + token exchange against it.
3. On each `/mcp/*` request, your server verifies the bearer token (JWKS signature check, issuer, audience).
### OAuth proxy flow
1. Your server exposes a `/register` endpoint that returns your pre-configured `clientId`.
2. MCP clients run PKCE authorization against the upstream using that `clientId`.
3. At token exchange, your server injects the `clientId` and `clientSecret` before forwarding to the upstream.
4. On each `/mcp/*` request, your server verifies the bearer token via the `verifyToken` function you provided.
Your server holds the client credentials and mediates every token exchange.
## OAuth Endpoints
When OAuth is configured, your server exposes these discovery endpoints:
```
GET /.well-known/oauth-authorization-server
GET /.well-known/openid-configuration
GET /.well-known/oauth-protected-resource
GET /.well-known/oauth-protected-resource/mcp
```
The authorization-server endpoints pass through the upstream provider's metadata so clients can discover the real authorize, token, and registration URLs.
## Bearer Token Authentication
All `/mcp/*` endpoints require a valid bearer token when OAuth is configured:
```
Authorization: Bearer eyJhbGci...
```
## Next Steps
* [Client Authentication](/typescript/client/authentication) - Connect to OAuth servers from clients
* [useMcp Hook](/typescript/client/usemcp) - React hook with OAuth support
* [User Context](/typescript/server/authentication/user-context) - Access user information in tools