Configuration

@mcpauth/auth is highly configurable. This page documents environment variables, provider options, and server options.

Environment Variables

Variable	Required	Description
`MCPAUTH_ALLOWED_ORIGIN`	✅	Comma-separated list of origins allowed to use your OAuth server.
`MCPAUTH_SECRET`	✅	Secret for signing the `state` param during OAuth flow.
`MCPAUTH_PRIVATE_KEY`	✅	Private key for signing JWTs. Must be PEM formatted.

Provider Options

All adapters ultimately consume the same core provider options:

interface ProviderOptions {
  adapter: StoreAdapter;        // PrismaAdapter | DrizzleAdapter | ...
  issuerUrl: string;            // e.g. process.env.BASE_URL
  issuerPath?: string;          // default: /api/oauth
  authenticateUser: (req) => Promise<OAuthUser | null>;
  signInUrl?: (req, cb: string) => string; // Optional custom login page
  serverOptions?: ServerOptions; // see below
}

`authenticateUser`

This callback bridges your existing user auth to the OAuth flow. Return a user object if the request is authenticated, otherwise null.

const mcpAuth = McpAuth({
  ...options,
  authenticateUser: async (req) => {
    // Example: using a session manager like NextAuth.js or Express Session
    const session = await getSession(req);
    return (session?.user as OAuthUser) ?? null;
  },
});

Server Options

Option	Default	Description
`accessTokenLifetime`	`3600`	Lifetime of access tokens (seconds).
`refreshTokenLifetime`	`1209600`	Lifetime of refresh tokens (seconds).

Next: Next.js Adapter ➡️

Configuration

Configuration

Environment Variables

Provider Options

authenticateUser

Server Options

On this page

`authenticateUser`