Skip to content

feat(auth-middleware): add example MCP server with JWT and API key#339

Merged
jba merged 3 commits intomodelcontextprotocol:mainfrom
yasomaru:examples/auth-middleware-mcp
Sep 2, 2025
Merged

feat(auth-middleware): add example MCP server with JWT and API key#339
jba merged 3 commits intomodelcontextprotocol:mainfrom
yasomaru:examples/auth-middleware-mcp

Conversation

@yasomaru
Copy link
Contributor

@yasomaru yasomaru commented Aug 20, 2025

This commit introduces a new example demonstrating the integration of authentication middleware with an MCP server. The server supports both JWT token and API key authentication, along with scope-based access control for various MCP tools. Key features include token generation endpoints, in-memory API key storage, and a health check endpoint.

New files added:

  • main.go: Implements the MCP server and authentication logic.
  • go.mod and go.sum: Manage dependencies for the project.
  • README.md: Provides setup instructions, available endpoints, and example usage.

This example serves as a reference for implementing secure access to MCP tools.

Fixes #330

@findleyr findleyr requested review from ant-joe and jba and removed request for ant-joe August 20, 2025 23:39
@wagnerjt
Copy link

wagnerjt commented Aug 27, 2025

Amazing, Cheers for this! Just one thing -- with the 0.3.0 release, there are a few breaking changes to this example. With a few minor tweaks around the CallToolResultFor it should just work :)

@yasomaru yasomaru force-pushed the examples/auth-middleware-mcp branch 2 times, most recently from 9887230 to 2defb9f Compare August 28, 2025 22:51
@yasomaru
Copy link
Contributor Author

yasomaru commented Aug 28, 2025

@wagnerjt
Thank you for the feedback! You're absolutely right about the breaking changes in the 0.3.0 release.
I've already updated the auth-middleware example to work with the new MCP SDK types.

@wagnerjt
Copy link

wagnerjt commented Aug 29, 2025

Unfortunately I'm not a maintainer of this repo to approve this. Just wanted to give you a heads up and again, nice example @yasomaru!

@findleyr
Copy link
Contributor

findleyr commented Aug 29, 2025

Thanks! We'll review shortly. If @jba can't review today, I'll review :)

jba
jba requested changes Aug 30, 2025
View reviewed changes
Copy link
Contributor

@jba jba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awesome! Thanks so much for doing this and validating (no pun intended) the server-side auth design.

Is there anything we're missing? Something in the auth package you wish we had?

@yasomaru
Copy link
Contributor Author

yasomaru commented Aug 31, 2025

@jba

This is awesome! Thanks so much for doing this and validating (no pun intended) the server-side auth design.

Is there anything we're missing? Something in the auth package you wish we had?

Thank you for the kind words!
After implementing this example, I have a few thoughts on the auth package

  1. Scope Validation Helpers
    Maybe some utility functions for common scope checking patterns? Something like
func HasScope(tokenInfo *TokenInfo, requiredScope string) bool

func HasAnyScope(tokenInfo *TokenInfo, requiredScopes []string) bool

func HasAllScopes(tokenInfo *TokenInfo, requiredScopes []string) bool
  1. Token Expiration Utilities
    Helper functions for common expiration checks
func IsExpired(tokenInfo *TokenInfo) bool

func TimeUntilExpiration(tokenInfo *TokenInfo) time.Duration

But ,the current design is already quite solid and covers the main use cases really well.

@yasomaru yasomaru requested a review from jba August 31, 2025 01:16
@jba
Copy link
Contributor

jba commented Aug 31, 2025

Thanks for those suggestions. I'm glad the core design is sound.
Usually we don't provide simple helpers like that unless they are hard or tricky to write, and I don't think any of those are.

@yasomaru
feat(auth-middleware): add example MCP server with JWT and API key au…
c424ec4 
…thentication

This commit introduces a new example demonstrating the integration of authentication middleware with an MCP server. The server supports both JWT token and API key authentication, along with scope-based access control for various MCP tools. Key features include token generation endpoints, in-memory API key storage, and a health check endpoint.

New files added:
- `main.go`: Implements the MCP server and authentication logic.
- `go.mod` and `go.sum`: Manage dependencies for the project.
- `README.md`: Provides setup instructions, available endpoints, and example usage.

This example serves as a reference for implementing secure access to MCP tools.
@yasomaru
fix(auth-middleware): update function signatures to use correct MCP t…
d26d381 
…ypes after rebase
@yasomaru
refactor(auth-middleware): rename functions for clarity and update co…
7c04a3d 
…mments

This commit renames several functions in the authentication middleware to improve clarity, changing `jwtVerifier` to `verifyJWT` and `apiKeyVerifier` to `verifyAPIKey`. Additionally, comments throughout the code have been updated for consistency and clarity, ensuring they accurately describe the functionality. The changes also include adjustments to the handling of user information extraction and scope checks in the MCP tools.
@yasomaru yasomaru force-pushed the examples/auth-middleware-mcp branch from 9281e40 to 7c04a3d Compare September 2, 2025 12:13
@jba jba merged commit a3935c6 into modelcontextprotocol:main Sep 2, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jba jba jba approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Example of how to use Auth Middleware

4 participants

@yasomaru @wagnerjt @findleyr @jba