mcp-auth-oauth
Installation
SKILL.md
MCP Auth — OAuth 2.1
Remote MCP servers use OAuth 2.1 + PKCE with Dynamic Client Registration. Any spec-compliant MCP client — Claude Desktop, Claude Code, Cursor, ChatGPT Apps — can authenticate users without hardcoded client IDs.
When to Use
- Building a remote MCP server that serves multiple users
- Migrating a static-bearer-token server to per-user auth
- Debugging "401 Unauthorized" or "failed to authenticate" in an MCP client
- Adding scope-based permission to an MCP server
The Flow (RFC 8414 + RFC 7591 + PKCE)
- Client connects to MCP server → server returns
401withWWW-Authenticatepointing to the authorization server metadata URL - Client fetches
/.well-known/oauth-authorization-server→ getsauthorization_endpoint,token_endpoint,registration_endpoint - Client POSTs to
registration_endpoint(RFC 7591) → receives aclient_iddynamically - Client opens browser to
authorization_endpointwith PKCE challenge → user approves - Client exchanges code at
token_endpoint→ receives access + refresh tokens - Client retries MCP request with
Authorization: Bearer <token>