Skip to main content

Crate mcp_oauth

Crate mcp_oauth 

Source
Expand description

§mcp-oauth

A reusable OAuth 2.1 layer for MCP (Model Context Protocol) servers, designed for compatibility with Claude.ai.

This crate is not a standalone binary — consumers import it and call build_oauth_router_with_stores to wrap their axum Router with a complete OAuth 2.1 implementation.

§Features

  • OAuth 2.1 with PKCE (S256) — authorization code flow with proof key
  • Dynamic client registration (RFC 7591)
  • WebAuthn / passkey authentication — passwordless approval via hardware keys or biometrics
  • Token refresh — long-lived sessions via refresh tokens
  • Per-IP rate limiting — three tiers (auth, registration, general)
  • Pluggable storage via TokenStore, ClientStore, PasskeyStore traits

§Quick start

use axum::Router;
use mcp_oauth::{OAuthConfig, build_oauth_router_with_stores};
use std::path::PathBuf;

let mcp_routes = Router::new(); // your protected MCP routes

// Using the builder (recommended):
let config = OAuthConfig::builder(
    "https://my-mcp.example.com".into(),
    "my-client-id".into(),
    "my-client-secret".into(),
    "My MCP Server".into(),
    PathBuf::from("passkeys.json"),
)
.setup_token("initial-setup-token")
.add_redirect_uri("https://myapp.example.com/callback")
.build()
.expect("valid config");

let (token_store, client_store, passkey_store) =
    mcp_oauth::create_default_stores(&config);
let app = build_oauth_router_with_stores(
    mcp_routes, config, token_store, client_store, passkey_store,
);
// Serve `app` with axum / hyper as usual.

Re-exports§

pub use store::json_file::JsonFileClientStore;
pub use store::json_file::JsonFilePasskeyStore;
pub use store::json_file::JsonFileTokenStore;
pub use store::AccessTokenEntry;
pub use store::AuthCode;
pub use store::ClientStore;
pub use store::PasskeyStore;
pub use store::RefreshTokenEntry;
pub use store::RegisteredClient;
pub use store::StoreError;
pub use store::TokenStore;

Modules§

store
Pluggable storage traits for the OAuth layer.

Structs§

CapacityConfig
Capacity limits for in-memory transient state and persistent stores.
OAuthConfig
OAuthConfigBuilder
Builder for OAuthConfig.
RateLimitConfig
Per-IP rate limiting configuration (requests per minute).

Enums§

OAuthConfigError
Errors that can occur when building an OAuthConfig via the builder.

Functions§

build_oauth_routerDeprecated
Wraps protected_router with OAuth 2.1 endpoints and Bearer-token middleware.
build_oauth_router_with_stores
Wraps protected_router with OAuth 2.1 endpoints and Bearer-token middleware.
create_default_stores
Create the default JSON-file-backed stores from an OAuthConfig.
default_redirect_uris
Returns the default allowed redirect URIs (Claude.ai callbacks).