mcp-auth-oauth

Installation
SKILL.md

MCP Auth — OAuth 2.1

Remote MCP servers use OAuth 2.1 + PKCE with Dynamic Client Registration. Any spec-compliant MCP client — Claude Desktop, Claude Code, Cursor, ChatGPT Apps — can authenticate users without hardcoded client IDs.

When to Use

  • Building a remote MCP server that serves multiple users
  • Migrating a static-bearer-token server to per-user auth
  • Debugging "401 Unauthorized" or "failed to authenticate" in an MCP client
  • Adding scope-based permission to an MCP server

The Flow (RFC 8414 + RFC 7591 + PKCE)

  1. Client connects to MCP server → server returns 401 with WWW-Authenticate pointing to the authorization server metadata URL
  2. Client fetches /.well-known/oauth-authorization-server → gets authorization_endpoint, token_endpoint, registration_endpoint
  3. Client POSTs to registration_endpoint (RFC 7591) → receives a client_id dynamically
  4. Client opens browser to authorization_endpoint with PKCE challenge → user approves
  5. Client exchanges code at token_endpoint → receives access + refresh tokens
  6. Client retries MCP request with Authorization: Bearer <token>
Installs
12
GitHub Stars
4
First Seen
May 30, 2026
mcp-auth-oauth — latestaiagents/agent-skills