This is a reference MCP Server implementation of the draft Authorization spec updates using the official typescript sdk.
This repo can be used with this Postman collection
There are two separate auth provider options:
- Cognito
- Keycloak (self-hosted)
We validate the scope: mcp:access, with <resource-id>/mcp:access. For example, https://mcp-server.com/mcp:access
Keep in mind that OAuth 2.1 doesn't allow http protocol, so you will want to use ngrok with a static url (available for free from ngrok) to properly test this out.
If you want to use localhost without ngrok because you don't care, you can override the PORT and PROTOCOL env variables for the authorization and resource servers by setting them in .envs (check config folder if you're confused)
-
Build and start the server:
npm i npm run build npm run start
-
The MCP server will start on port 1335.
-
In another terminal, create the ngrok tunnel to the MCP server:
ngrok http --domain=<get-a-custom-domain-from-ngrok(free)-and-place-here> 1335
-
Configure this resource server in the
Domainstab of your AWS Cognito dashboard