Crate turbomcp_auth 

TurboMCP Auth - OAuth 2.1 and Authentication

Comprehensive OAuth 2.1, API key authentication, and authorization functionality for the TurboMCP protocol with MCP specification compliance.

Features

• OAuth 2.1 - RFC 8707/9728/7591 compliant with MCP resource binding
• Multi-Provider - Google, GitHub, Microsoft with PKCE and security hardening
• API Key Auth - Simple API key authentication provider
• Session Management - Secure session handling and token management
• DPoP Support - Optional RFC 9449 proof-of-possession (feature: dpop)

Architecture

• config - Configuration types for authentication providers
• types - Core authentication types (AuthContext, UserInfo, etc.)
• providers - Authentication provider implementations
  • api_key - API key authentication
• manager - Authentication manager for provider orchestration
• oauth2 - OAuth 2.1 implementation with RFC compliance

Feature Flags

• default - Core authentication (no optional features)
• dpop - Enable DPoP (RFC 9449) support via turbomcp-dpop

Re-exports

pub use api_key::ApiKeyProvider;

pub use turbomcp_dpop as dpop;

Modules

api_key

API Key Authentication Provider

config

Authentication Configuration Types

manager

Authentication Manager

oauth2

OAuth 2.1 Implementation

providers

Authentication Providers

types

Core Authentication Types

Structs

AccessToken

Secure access token with metadata

AuthConfig

Authentication configuration

AuthContext

Authentication context containing user information and session data

AuthManager

Authentication manager for coordinating multiple authentication providers

AuthProviderConfig

Authentication provider configuration

AuthorizationConfig

Authorization configuration

ClientRegistrationError

Client Registration Error Response (RFC 7591)

ClientRegistrationRequest

Dynamic Client Registration Request (RFC 7591)

ClientRegistrationResponse

Dynamic Client Registration Response (RFC 7591)

DefaultAuthMiddleware

Default authentication middleware

DeviceAuthorizationResponse

Device authorization response for CLI/IoT flows

DpopConfig

DPoP (Demonstration of Proof-of-Possession) configuration

DynamicClientRegistration

Dynamic Client Registration Manager for RFC 7591 compliance

McpResourceRegistry

MCP Server Resource Registry for RFC 9728 compliance

OAuth2AuthResult

OAuth 2.0 authorization result

OAuth2Config

OAuth 2.0 configuration

ProtectedResourceMetadata

Protected Resource Metadata (RFC 9728) for server-side discovery

ProviderConfig

Provider-specific configuration for handling OAuth quirks

SessionConfig

Session configuration

TokenInfo

Token information

UserInfo

User information

Enums

ApplicationType

Application type for OAuth client (RFC 7591)

AuthCredentials

Authentication credentials

AuthProviderType

Authentication provider types

BearerTokenMethod

Bearer token delivery methods (RFC 9728)

ClientRegistrationErrorCode

Client Registration Error Codes (RFC 7591)

DpopKeyStorageConfig

DPoP key storage configuration

OAuth2FlowType

OAuth 2.0 flow types

ProviderType

OAuth2 provider types with built-in configurations

RefreshBehavior

Token refresh behavior strategies

SecurityLevel

Security levels for OAuth 2.0 flows

SessionStorageType

Session storage types

Traits

AuthMiddleware

Authentication middleware trait

AuthProvider

Authentication provider trait

TokenStorage

Secure token storage abstraction