MCP auth.
Working.
In 5 minutes.
Self-hosted OAuth 2.1 authorization server for the Model Context Protocol. One Go binary. Every RFC the spec requires. Deploy alongside your MCP server.
MCP auth is genuinely broken.
Most MCP servers ship without auth
The MCP specification requires OAuth 2.1. In practice, most servers omit it entirely — exposing tools and data to any caller.
OAuth 2.1 is expensive to implement
PKCE, DCR, protected resource metadata, token lifecycle, key rotation — implementing the full spec correctly takes significant engineering time.
No self-hosted option exists
Auth0, WorkOS, Descope — all cloud-only. Financial services, healthcare, and defense cannot route tokens through third-party infrastructure.
Four steps. Five minutes.
Deploy the binary
Single Docker image or Go binary. PostgreSQL or SQLite. No external dependencies. Starts in under 5 seconds.
Point your MCP server at it
One config line: authorization_server: https://auth.you.com. Authgent serves all required OAuth AS metadata. MCP clients discover it automatically via RFC 8414.
MCP clients authenticate
Claude, Cursor, GPT, any MCP client runs Authorization Code + PKCE. Dynamic Client Registration — no manual setup per client. Consent screen included.
Validate JWTs in your server
Authgent issues signed JWTs. Your MCP server fetches the JWKS once, caches it, and verifies tokens offline. Stateless. Standard. No Authgent dependency at runtime.
# Verify Authgent JWTs in FastMCP
from fastmcp.server.auth import RemoteAuthProvider
auth = RemoteAuthProvider(
authorization_server_url="https://auth.yourcompany.com",
audience="https://mcp.yourcompany.com",
)// Verify Authgent JWTs in Go
v, _ := verifier.New(verifier.Config{
Issuer: "https://auth.yourcompany.com",
Audience: "https://mcp.yourcompany.com",
JWKSURL: "https://auth.yourcompany.com/.well-known/jwks.json",
})
mux.Handle("/mcp", v.RequireAuth()(handler))// Verify Authgent JWTs in TypeScript
import { createRemoteJWKSet, jwtVerify } from "jose";
const JWKS = createRemoteJWKSet(
new URL("https://auth.yourcompany.com/.well-known/jwks.json")
);
const { payload } = await jwtVerify(token, JWKS, {
issuer: "https://auth.yourcompany.com",
audience: "https://mcp.yourcompany.com",
});Everything the MCP spec requires.
A complete OAuth 2.1 authorization server built to the MCP authorization specification.
Complete authorization server
Authorization Code + PKCE, client credentials, token refresh and revocation. Every grant type the MCP spec requires.
Dynamic Client Registration
MCP clients self-register automatically. No manual setup per client. Constrained mode for regulated deployments.
JWKS & offline verification
ES256 signed JWTs with automated key rotation. Your MCP server fetches JWKS once and verifies tokens locally.
Upstream IdP federation
Plug into Okta, Entra, or Google Workspace. Your employees use SSO. Agents get scoped tokens.
Tool-level permissions
Define permissions per tool, not per server. Consent screen shows exactly which tools an agent requests.
Single binary, zero deps
One Docker image. PostgreSQL or SQLite. Prometheus metrics, OpenTelemetry tracing, structured logs.
Works with your stack.
Drop-in auth for every major MCP framework and server. Guides with complete working examples.
One-line auth setup with RemoteAuthProvider. Tool-level scope enforcement out of the box.
Read guide →JWT verification with jose. Express middleware for any TypeScript MCP server.
Read guide →Lightweight verifier package. Standard net/http middleware. Zero external dependencies.
Read guide →JWT verification at the edge with Web Crypto API. JWKS cached at every Cloudflare PoP.
Read guide →Secure your Linear MCP server. Scope access to issues, projects, and teams.
Read guide →Protect repos, PRs, and code search. Fine-grained per-repository scoping.
Read guide →Start free. Scale when you need to.
The OSS core is everything you need for production. Enterprise adds what regulated industries require.
Open Source
Self-hosted. Full MCP auth server. Everything you need to go to production.
- OAuth 2.1 AS + PKCE + DCR
- Unlimited MCP servers
- Unlimited client registrations
- PostgreSQL + SQLite
- Single upstream IdP (OIDC)
- JWKS, metadata, revocation
- Structured audit logging
- Go + Python verifier libraries
Self-Hosted Pro
For teams that need enterprise identity and hands-on support.
- Everything in Open Source
- Multiple upstream IdPs (SAML + OIDC)
- Role-based access control
- Multi-server management dashboard
- Priority email support (24h response)
- Architecture review session
Cloud SaaS
Managed auth server. No infrastructure to maintain.
- Managed auth server
- Automatic updates and key rotation
- Multiple upstream IdPs
- Usage dashboard and analytics
- Email support
Enterprise
Air-gapped deployments for healthcare, finance, and defense.
- Everything in Self-Hosted Pro
- Unlimited IdP connections
- Air-gap and offline deployment
- Dedicated Slack channel
- Deployment engineering included
- Custom SLA
Honest comparison.
Every competitor is cloud-only. For regulated industries, that's a hard blocker. We are not.
| Feature | Authgent | Auth0 for MCP | WorkOS | Descope | Keycloak |
|---|---|---|---|---|---|
| Self-hosted | ✓ | ✗ | ✗ | ✗ | ✓ |
| OAuth 2.1 + PKCE | ✓ | ✓ | ✓ | ✓ | partial |
| Dynamic Client Registration | ✓ | EA only | partial | ✓ | partial |
| MCP spec compliant | ✓ | EA | ✓ | ✓ | ✗ |
| Runs in regulated infra | ✓ | ✗ | ✗ | ✗ | complex |
| Deploy time | 5 min | 10+ steps | ~1 hour | ~30 min | hours–days |
| Open Source | ✓ | ✗ | ✗ | ✗ | ✓ |
| SQLite (dev mode) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Purpose-built for MCP | ✓ | add-on | add-on | add-on | ✗ |
MCP auth. Working.
In 5 minutes.
Not a hosted service you depend on. Your binary. Your tokens. Your infrastructure.