MCP Auth 🔐

Intro

👨‍💼 Hello, my name is Peter the Product Manager. I'm here to help you get oriented and to give you your assignments for the workshop!
Welcome to MCP Auth! In this workshop, you'll master authentication and authorization for Model Context Protocol (MCP) servers—the essential skills for building secure, production-ready MCP applications that handle real user data.
The Model Context Protocol is powerful, but without proper authentication, your MCP servers can only provide public data. To build truly useful applications—journaling apps, document managers, personal assistants—you need to securely identify users and control access to their private resources.

OAuth Authentication Flow

1. Authorize & get token
2. Access token
3. MCP request + token
4. Validate token
5. Token info
6. Protected MCP response

Host Application
(VS Code, Claude Desktop, etc.)
with MCP Client

Authorization Server

MCP Server
(Resource Server)

We're focused on the Resource Server in this workshop. That's the MCP server that you're building and will be the most valuable information for you as a developer of MCP servers.
Throughout this workshop, you'll learn:
  • Service Discovery: Implement OAuth metadata endpoints that let clients automatically discover how to authenticate with your MCP server
  • Authorization Headers: Properly handle OAuth Bearer tokens and provide clear authentication challenges when tokens are missing or invalid
  • Token Introspection: Validate access tokens and extract user information using industry-standard OAuth 2.0 introspection
  • User Context: Pass authenticated user information through your MCP server to ensure all operations are properly scoped to the current user
  • Scope-based Permissions: Implement fine-grained access control using OAuth scopes to protect sensitive operations and data
We'll be building a secure version of EpicMe, a personal journaling application that demonstrates real-world authentication patterns. You'll see how to:
  • Protect journal entries so users only see their own content
  • Implement scope-based permissions for read vs. write operations
  • Handle authentication errors gracefully with helpful error messages
  • Provide metadata endpoints that make your server easy to integrate with
This workshop uses the OAuth 2.0 standard and follows the MCP Authentication specification, ensuring your skills transfer to any OAuth-compatible system.
We'll be using:
Prerequisites: This workshop builds on MCP fundamentals. If you're new to MCP, consider taking Advanced MCP Features first to get familiar with the protocol basics.
Ready to build secure, user-aware MCP applications? Let's dive into the world of authenticated Model Context Protocol servers!
Edit on GitHub