03. Auth Info/01. Introspect (💪 problem)

Introspect

Introspect Pjgp6

👨‍💼 Ok, so we've got the user's auth token, but what do we do with it? Our server needs to know:

Is the token valid?
Is it still active?
Who is this person? (user ID)
What permissions do they have? (scopes)

So we need to "introspect" the token to get this information.

// When a user makes a request, we need to resolve their token
const authInfo = await resolveAuthInfo(request.headers.get('authorization'))
if (!authInfo) {
	return handleUnauthorized(request)
}

console.log(`User ${authInfo.extra.userId} from ${authInfo.clientId}`)
console.log(`Has scopes: ${authInfo.scopes.join(', ')}`)

Auth providers implement this slightly differently, but the core concept is the same: you send the token to the auth server, and it tells you everything you need to know about that token. Some auth providers store their token as a JWT which means the information is contained within the token itself and you don't need to perform a request to the auth server to get the information.

One way or another though, you need to determine whether the token is valid and active.

🔍 Token validation is essential for user-specific features. Without it, you can't personalize the experience or enforce proper permissions.

The introspection process involves making a POST request to the auth server's introspection endpoint with the token. The response contains the user ID (sub), client ID (client_id), and scopes (scope) that tell you exactly what this token represents.

// Example introspection request
const validateUrl = new URL('/oauth/introspection', 'https://auth.example.com')
const resp = await fetch(validateUrl, {
	method: 'POST',
	headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
	body: new URLSearchParams({ token }),
})

const result = await resp.json()
// result.sub = user ID
// result.client_id = app the user is using
// result.scope = space-separated list of permissions

🎯 When you're finished with this exercise, the behavior won't change visually. Consider adding a console.log to see the introspection results in action!

📜 For more details on token introspection, see the OAuth 2.0 Token Introspection RFC.

The goal is to transform anonymous tokens into rich user context, enabling personalized experiences and proper permission enforcement.

Now, let's implement the resolveAuthInfo function to make this happen!

Previous Next

Edit

problem solution diff chat

Please set the playground first

Loading "Introspect"

⚡General
How to deploy the MCP?
tj1892 ⚡:
How do you deploy the MCP server to the user? Say I have implemented a MCP server providing tools fo...
0 · a day ago
🔐MCP Auth
Auth 2.1
BeyondLimits99 ⚡:
Hey Kent, just wanted to double check something in the auth 2.1 session. When we implement the auth...
✅2
3 · 2 days ago
🔐MCP Auth
Consistent issues in the MCP Auth phase
Jangla ⚡:
I can walk through the guided Auth process but the moment I click "Connect", I get the same toast er...
✅1
3 · 3 days ago
🔐MCP Auth
Transcript unavailable in the Protected Resource solution (MCP Auth Workshop).
Nhalillo ⚡:
This is a minor issue, but I rely on transcripts in my current learning process. I tried restarting ...
✅1
3 · 2 days ago
⚡General
Epic MCP Server
Fede:
Given the amount of questions around deployment and getting started, it would be cool to have an Epi...
✅1
2 · 5 days ago
⚡General
Cloudflare deployment
Aaron Schwartz:
Do you have any resources on deploying to a live cloudflare instance? I haven't dug through the work...
👍1
✅1
4 · 5 days ago
🔐MCP Auth
Where are scope hints displayed?
Aaron Schwartz:
Are the scope hints displayed by any of the clients? How is the user supposed to use the hints? It s...
✅1
1 · 5 days ago
🔐MCP Auth
invalid authorization code format - 03 protected resource
mark:
In the protected resource exercise I'm getting an invalid authorization code format error in the tok...
✅1
1 · 5 days ago
💪Adv. MCP Features
⚡General
Understanding Session and State Management for Remote MCP Server
Kusten ⚡:
I just completed the Advanced Features workshop, and the notifications/tools/list_changed section le...
✅1
1 · 5 days ago
⚡General
Epic MCP server not initializing
steve ⚡:
I am attempting to configure the Epic MCP Server per Kent's instructions here: https://www.epicai.pr...
✅2
3 · 8 days ago
⚡General
What will tomorrows MCP hosts look like?
Paul 🚀:
Hi Kent,  Thanks for putting together the course, I’m really enjoying it. Im interested if you have...
✅1
2 · 9 days ago
⚡General
VS Code Copilot and Epic Workshop MCP Server
Alexandre 🚀:
I might have missed something, but how do we install the Epic Workshop MCP Server so we can ask Copi...
✅1
3 · 10 days ago
🐣MCP Fundamentals
💪Adv. MCP Features
🔐MCP Auth
💻MCP UI
What about the usage of MCP Servers for some kind of chat interacting with a local LLM?
frankfullstack ⚡:
I would like to raise a general question about the usage of MCP Servers and how we could interact fr...
✅1
5 · 15 days ago
🐣MCP Fundamentals
⚡General
It'd be really cool to have a basic deployment guide.
BeyondLimits99 ⚡:
The course has been amazing so far! I'd love to have a basic deployment guide just so I can practice...
✅2
3 · 12 days ago
⚡General
non-related question: how do you rollout updates?
mark:
I'm very curious to hear: How do you roll-out new updates? do you use some kind of libary?
✅1
5 · 17 days ago
🐣MCP Fundamentals
⚡General
How do you teach the LLMs to use ResourceTemplates and ResourceTemplatesList?
frontendwizard:
I'm playing around with building an mcp with claude and he has a tendency to go for json for everyth...
✅1
8 · 15 days ago

Loading Discord Posts

Create Post