@agentailor/create-mcp-server 0.1.0 → 0.2.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -1,19 +1,57 @@
 # @agentailor/create-mcp-server
 
-Create a new MCP (Model Context Protocol) server project.
+Scaffold production-ready MCP servers in seconds.
 
-## Usage
+## Quick Start
 
 ```bash
 npx @agentailor/create-mcp-server
 ```
 
-This will prompt you for a project name and create a new directory with a README.md file.
+## Features
+
+- **Two templates** — stateless or stateful with session management
+- **Optional OAuth** — OIDC-compliant authentication ([setup guide](docs/oauth-setup.md))
+- **Package manager choice** — npm, pnpm, or yarn
+- **TypeScript + Express.js** — ready to customize
+- **MCP Inspector** — built-in debugging with `npm run inspect`
+
+## Templates
+
+| Feature | Stateless (default) | Stateful |
+|---------|---------------------|----------|
+| Session management | — | ✓ |
+| SSE support | — | ✓ |
+| OAuth option | — | ✓ |
+| Endpoints | POST /mcp | POST, GET, DELETE /mcp |
+
+**Stateless**: Simple HTTP server — each request creates a new transport instance.
+
+**Stateful**: Session-based server with transport reuse, Server-Sent Events for real-time updates, and optional OAuth authentication.
+
+## Generated Project
+
+```
+my-mcp-server/
+├── src/
+│   ├── server.ts     # MCP server (tools, prompts, resources)
+│   ├── index.ts      # Express app and transport setup
+│   └── auth.ts       # OAuth middleware (if enabled)
+├── package.json
+├── tsconfig.json
+├── .gitignore
+├── .env.example
+└── README.md
+```
+
+**Scripts:**
+- `npm run dev` — build and start the server
+- `npm run inspect` — open MCP Inspector (update URL in `package.json` if needed)
 
 ## What is MCP?
 
 The [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) is an open protocol that enables AI assistants to interact with external tools, data sources, and services.
 
-## License
+## Built by Agentailor
 
-MIT
+Built by [Agentailor](https://agentailor.com/?utm_source=github&utm_medium=readme&utm_campaign=create-mcp-server) — your launchpad for production-ready MCP servers and scalable AI agents. We provide the tools, templates, and expertise to ship AI-powered applications faster.

package/dist/index.js

@@ -2,12 +2,13 @@
 import prompts from 'prompts';
 import { mkdir, writeFile } from 'node:fs/promises';
 import { join } from 'node:path';
+import { execSync } from 'node:child_process';
 import { getPackageJsonTemplate } from './templates/common/package.json.js';
 import { getTsconfigTemplate } from './templates/common/tsconfig.json.js';
 import { getGitignoreTemplate } from './templates/common/gitignore.js';
 import { getEnvExampleTemplate } from './templates/common/env.example.js';
 import { getServerTemplate as getStatelessServerTemplate, getIndexTemplate as getStatelessIndexTemplate, getReadmeTemplate as getStatelessReadmeTemplate, } from './templates/streamable-http/index.js';
-import { getServerTemplate as getStatefulServerTemplate, getIndexTemplate as getStatefulIndexTemplate, getReadmeTemplate as getStatefulReadmeTemplate, } from './templates/stateful-streamable-http/index.js';
+import { getServerTemplate as getStatefulServerTemplate, getIndexTemplate as getStatefulIndexTemplate, getReadmeTemplate as getStatefulReadmeTemplate, getAuthTemplate as getStatefulAuthTemplate, } from './templates/stateful-streamable-http/index.js';
 const templateFunctions = {
     stateless: {
         getServerTemplate: getStatelessServerTemplate,
@@ -18,6 +19,7 @@ const templateFunctions = {
         getServerTemplate: getStatefulServerTemplate,
         getIndexTemplate: getStatefulIndexTemplate,
         getReadmeTemplate: getStatefulReadmeTemplate,
+        getAuthTemplate: getStatefulAuthTemplate,
     },
 };
 const packageManagerCommands = {
@@ -77,22 +79,57 @@ async function main() {
         initial: 0,
     }, { onCancel });
     const templateType = templateTypeResponse.templateType || 'stateless';
+    // OAuth prompt - only for stateful template
+    let withOAuth = false;
+    if (templateType === 'stateful') {
+        const oauthResponse = await prompts({
+            type: 'confirm',
+            name: 'withOAuth',
+            message: 'Enable OAuth authentication?',
+            initial: false,
+        }, { onCancel });
+        withOAuth = oauthResponse.withOAuth ?? false;
+    }
+    // Git init prompt
+    const gitInitResponse = await prompts({
+        type: 'confirm',
+        name: 'withGitInit',
+        message: 'Initialize git repository?',
+        initial: true,
+    }, { onCancel });
+    const withGitInit = gitInitResponse.withGitInit ?? false;
+    const templateOptions = { withOAuth };
     const templates = templateFunctions[templateType];
     const projectPath = join(process.cwd(), projectName);
     const srcPath = join(projectPath, 'src');
     try {
         // Create directories
         await mkdir(srcPath, { recursive: true });
-        // Write all template files
-        await Promise.all([
+        // Build list of files to write
+        const filesToWrite = [
             writeFile(join(srcPath, 'server.ts'), templates.getServerTemplate(projectName)),
-            writeFile(join(srcPath, 'index.ts'), templates.getIndexTemplate()),
-            writeFile(join(projectPath, 'package.json'), getPackageJsonTemplate(projectName)),
+            writeFile(join(srcPath, 'index.ts'), templates.getIndexTemplate(templateOptions)),
+            writeFile(join(projectPath, 'package.json'), getPackageJsonTemplate(projectName, templateOptions)),
             writeFile(join(projectPath, 'tsconfig.json'), getTsconfigTemplate()),
             writeFile(join(projectPath, '.gitignore'), getGitignoreTemplate()),
-            writeFile(join(projectPath, '.env.example'), getEnvExampleTemplate()),
-            writeFile(join(projectPath, 'README.md'), templates.getReadmeTemplate(projectName)),
-        ]);
+            writeFile(join(projectPath, '.env.example'), getEnvExampleTemplate(templateOptions)),
+            writeFile(join(projectPath, 'README.md'), templates.getReadmeTemplate(projectName, templateOptions)),
+        ];
+        // Conditionally add auth.ts for OAuth-enabled stateful template
+        if (withOAuth && templates.getAuthTemplate) {
+            filesToWrite.push(writeFile(join(srcPath, 'auth.ts'), templates.getAuthTemplate()));
+        }
+        // Write all template files
+        await Promise.all(filesToWrite);
+        // Initialize git repository if requested
+        if (withGitInit) {
+            try {
+                execSync('git init', { cwd: projectPath, stdio: 'ignore' });
+            }
+            catch {
+                console.log('\n⚠️  Could not initialize git repository (is git installed?)');
+            }
+        }
         const commands = packageManagerCommands[packageManager];
         console.log(`\n✅ Created ${projectName} at ${projectPath}`);
         console.log(`\nNext steps:`);

package/dist/templates/common/env.example.d.ts

@@ -1 +1,4 @@
-export declare function getEnvExampleTemplate(): string;
+export interface TemplateOptions {
+    withOAuth?: boolean;
+}
+export declare function getEnvExampleTemplate(options?: TemplateOptions): string;

package/dist/templates/common/env.example.js

@@ -1,4 +1,19 @@
-export function getEnvExampleTemplate() {
+export function getEnvExampleTemplate(options) {
+    const withOAuth = options?.withOAuth ?? false;
+    const oauthVars = withOAuth
+        ? `
+# OAuth Configuration
+# Issuer URL - your OAuth provider's base URL
+# Examples:
+#   Auth0: https://your-tenant.auth0.com
+#   Keycloak: http://localhost:8080/realms/your-realm
+OAUTH_ISSUER_URL=https://your-oauth-provider.com
+
+# Audience - the API identifier (optional, but recommended)
+# This should match the "aud" claim in your JWT tokens
+OAUTH_AUDIENCE=https://your-mcp-server.com
+`
+        : '';
     return `PORT=3000
-`;
+${oauthVars}`;
 }

package/dist/templates/common/package.json.d.ts

@@ -1 +1,4 @@
-export declare function getPackageJsonTemplate(projectName: string): string;
+export interface TemplateOptions {
+    withOAuth?: boolean;
+}
+export declare function getPackageJsonTemplate(projectName: string, options?: TemplateOptions): string;

package/dist/templates/common/package.json.js

@@ -1,4 +1,14 @@
-export function getPackageJsonTemplate(projectName) {
+export function getPackageJsonTemplate(projectName, options) {
+    const withOAuth = options?.withOAuth ?? false;
+    const dependencies = {
+        '@modelcontextprotocol/sdk': '^1.25.1',
+        express: '^5.2.1',
+        zod: '^4.3.5',
+    };
+    if (withOAuth) {
+        dependencies['dotenv'] = '^17.2.3';
+        dependencies['jose'] = '^6.1.3';
+    }
     const packageJson = {
         name: projectName,
         version: '0.1.0',
@@ -8,16 +18,14 @@ export function getPackageJsonTemplate(projectName) {
             build: 'tsc',
             dev: 'tsc && node dist/index.js',
             start: 'node dist/index.js',
+            inspect: 'mcp-inspector http://localhost:3000/mcp',
         },
-        dependencies: {
-            '@modelcontextprotocol/sdk': '^1.12.1',
-            express: '^5.1.0',
-            zod: '^3.25.30',
-        },
+        dependencies,
         devDependencies: {
-            '@types/express': '^5.0.0',
-            '@types/node': '^22.15.21',
-            typescript: '^5.8.3',
+            '@types/express': '^5.0.6',
+            '@types/node': '^25.0.3',
+            typescript: '^5.9.3',
+            '@modelcontextprotocol/inspector': '^0.18.0',
         },
         engines: {
             node: '>=20',

package/dist/templates/stateful-streamable-http/auth.d.ts

@@ -0,0 +1 @@
+export declare function getAuthTemplate(): string;

package/dist/templates/stateful-streamable-http/auth.js

@@ -0,0 +1,199 @@
+export function getAuthTemplate() {
+    return `import 'dotenv/config';
+import { createRemoteJWKSet, jwtVerify, type JWTPayload, type JWTVerifyGetKey } from 'jose';
+import {
+  mcpAuthMetadataRouter,
+  getOAuthProtectedResourceMetadataUrl,
+} from '@modelcontextprotocol/sdk/server/auth/router.js';
+import { requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js';
+import type { OAuthMetadata } from '@modelcontextprotocol/sdk/shared/auth.js';
+import type { Express, RequestHandler } from 'express';
+
+// OAuth configuration from environment variables
+const CONFIG = {
+  host: process.env.HOST || 'localhost',
+  port: Number(process.env.PORT) || 3000,
+  oauth: {
+    issuerUrl: process.env.OAUTH_ISSUER_URL || 'http://localhost:8080',
+    audience: process.env.OAUTH_AUDIENCE || '',
+  },
+};
+
+// Ensure issuer URL doesn't have trailing slash for consistency
+const normalizedIssuerUrl = CONFIG.oauth.issuerUrl.replace(/\\/$/, '');
+
+const mcpServerUrl = new URL(\`http://\${CONFIG.host}:\${CONFIG.port}\`);
+
+// OAuth metadata and JWKS fetched from OIDC discovery endpoint at startup
+let oauthMetadata: OAuthMetadata | null = null;
+let JWKS: JWTVerifyGetKey | null = null;
+
+// Extended JWT payload type with common OAuth claims
+interface OAuthJWTPayload extends JWTPayload {
+  scope?: string;
+  azp?: string;
+  client_id?: string;
+}
+
+// OIDC Discovery document structure (partial)
+interface OIDCDiscoveryDocument {
+  issuer: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+  jwks_uri: string;
+  response_types_supported?: string[];
+}
+
+// Token verifier using JWKS/JWT validation
+const tokenVerifier = {
+  verifyAccessToken: async (token: string) => {
+    if (!JWKS) {
+      throw new Error('JWKS not initialized. Call validateOAuthConfig() first.');
+    }
+
+    try {
+      // Check if the token looks like a JWT (three base64url-encoded parts separated by dots)
+      const parts = token.split('.');
+      if (parts.length !== 3) {
+        throw new Error(
+          'Token is not a valid JWT format (expected 3 parts separated by dots). '
+        );
+      }
+
+      const verifyOptions: { issuer: string; audience?: string } = {
+        issuer: normalizedIssuerUrl,
+      };
+
+      // Only validate audience if configured
+      if (CONFIG.oauth.audience) {
+        verifyOptions.audience = CONFIG.oauth.audience;
+      }
+
+      const { payload } = await jwtVerify(token, JWKS, verifyOptions);
+      const jwtPayload = payload as OAuthJWTPayload;
+
+      return {
+        token,
+        // Use azp (authorized party), client_id, or sub as the client identifier
+        clientId: jwtPayload.azp || jwtPayload.client_id || jwtPayload.sub || 'unknown',
+        scopes: jwtPayload.scope ? jwtPayload.scope.split(' ') : [],
+        expiresAt: jwtPayload.exp,
+      };
+    } catch (error) {
+      if (error instanceof Error) {
+        console.error('[auth] JWT verification failed:', error.message);
+      }
+      throw error;
+    }
+  },
+};
+
+// Setup OAuth metadata router on the Express app
+// Must be called AFTER validateOAuthConfig() to ensure oauthMetadata is populated
+export function setupAuthMetadataRouter(app: Express): void {
+  if (!oauthMetadata) {
+    throw new Error('OAuth metadata not initialized. Call validateOAuthConfig() first.');
+  }
+  app.use(
+    mcpAuthMetadataRouter({
+      oauthMetadata,
+      resourceServerUrl: mcpServerUrl,
+      scopesSupported: ['mcp:tools'],
+      resourceName: 'MCP Server',
+    })
+  );
+}
+
+// Export auth middleware for protecting routes
+export const authMiddleware: RequestHandler = requireBearerAuth({
+  verifier: tokenVerifier,
+  requiredScopes: [],
+  resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(mcpServerUrl),
+});
+
+// Export for logging on startup
+export function getOAuthMetadataUrl(): string {
+  return getOAuthProtectedResourceMetadataUrl(mcpServerUrl).toString();
+}
+
+// Validate OAuth configuration and fetch OIDC discovery document at startup
+export async function validateOAuthConfig(): Promise<void> {
+  console.log(\`[auth] Validating OAuth configuration for issuer: \${normalizedIssuerUrl}\`);
+
+  const wellKnownUrl = \`\${normalizedIssuerUrl}/.well-known/openid-configuration\`;
+
+  // Fetch the OIDC discovery document to get the correct endpoints
+  let discovery: OIDCDiscoveryDocument;
+  try {
+    const response = await fetch(wellKnownUrl, {
+      method: 'GET',
+      signal: AbortSignal.timeout(5000),
+    });
+
+    if (!response.ok) {
+      throw new Error(\`HTTP \${response.status}: \${response.statusText}\`);
+    }
+
+    discovery = (await response.json()) as OIDCDiscoveryDocument;
+    console.log('[auth] Successfully fetched OIDC discovery document');
+
+    // Build OAuth metadata from the discovery document
+    oauthMetadata = {
+      issuer: discovery.issuer,
+      authorization_endpoint: discovery.authorization_endpoint,
+      token_endpoint: discovery.token_endpoint,
+      response_types_supported: discovery.response_types_supported || ['code'],
+    };
+
+    console.log(\`[auth] Authorization endpoint: \${discovery.authorization_endpoint}\`);
+    console.log(\`[auth] Token endpoint: \${discovery.token_endpoint}\`);
+  } catch (e) {
+    const error = e instanceof Error ? e : new Error(String(e));
+    const errorMessage = [
+      'Failed to fetch OIDC discovery document',
+      \`  Discovery URL: \${wellKnownUrl}\`,
+      \`  Error: \${error.message}\`,
+      '',
+      'Please ensure:',
+      '  1. The OAUTH_ISSUER_URL environment variable is correct',
+      '  2. The OAuth server is running and accessible',
+      '  3. The OAuth server supports OIDC discovery (.well-known/openid-configuration)',
+      '  4. Network/firewall settings allow the connection',
+    ].join('\\n');
+
+    throw new Error(errorMessage);
+  }
+
+  // Create JWKS from the discovery document's jwks_uri
+  const jwksUri = discovery.jwks_uri;
+  console.log(\`[auth] JWKS URI: \${jwksUri}\`);
+  JWKS = createRemoteJWKSet(new URL(jwksUri));
+
+  // Verify the JWKS endpoint is accessible
+  try {
+    const jwksResponse = await fetch(jwksUri, {
+      method: 'GET',
+      signal: AbortSignal.timeout(5000),
+    });
+
+    if (!jwksResponse.ok) {
+      throw new Error(\`HTTP \${jwksResponse.status}: \${jwksResponse.statusText}\`);
+    }
+    console.log('[auth] JWKS endpoint is accessible');
+  } catch (e) {
+    const error = e instanceof Error ? e : new Error(String(e));
+    const errorMessage = [
+      'Failed to fetch JWKS from OAuth server',
+      \`  JWKS URI: \${jwksUri}\`,
+      \`  Error: \${error.message}\`,
+      '',
+      'Please ensure the OAuth server is properly configured.',
+    ].join('\\n');
+
+    throw new Error(errorMessage);
+  }
+
+  console.log('[auth] OAuth configuration validated successfully');
+}
+`;
+}

package/dist/templates/stateful-streamable-http/auth.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/templates/stateful-streamable-http/auth.test.js

@@ -0,0 +1,100 @@
+import { describe, it, expect } from 'vitest';
+import { getAuthTemplate } from './auth.js';
+describe('auth template', () => {
+    describe('getAuthTemplate', () => {
+        it('should include OAuth configuration from environment variables', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('OAUTH_ISSUER_URL');
+            expect(template).toContain('OAUTH_AUDIENCE');
+        });
+        it('should include dotenv import', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain("import 'dotenv/config'");
+        });
+        it('should import jose for JWT verification', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain("from 'jose'");
+            expect(template).toContain('createRemoteJWKSet');
+            expect(template).toContain('jwtVerify');
+        });
+        it('should use SDK auth imports', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain("from '@modelcontextprotocol/sdk/server/auth/router.js'");
+            expect(template).toContain("from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js'");
+            expect(template).toContain("from '@modelcontextprotocol/sdk/shared/auth.js'");
+        });
+        it('should export setupAuthMetadataRouter function', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('export function setupAuthMetadataRouter');
+            expect(template).toContain('mcpAuthMetadataRouter');
+        });
+        it('should export authMiddleware', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('export const authMiddleware');
+            expect(template).toContain('requireBearerAuth');
+        });
+        it('should export getOAuthMetadataUrl helper', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('export function getOAuthMetadataUrl');
+            expect(template).toContain('getOAuthProtectedResourceMetadataUrl');
+        });
+        it('should include token verifier using JWKS/JWT', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('tokenVerifier');
+            expect(template).toContain('verifyAccessToken');
+            expect(template).toContain('jwtVerify(token, JWKS');
+        });
+        it('should create remote JWKS from discovery document jwks_uri', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('createRemoteJWKSet');
+            expect(template).toContain('discovery.jwks_uri');
+            expect(template).toContain('JWKS = createRemoteJWKSet');
+        });
+        it('should validate issuer and audience claims', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('issuer:');
+            expect(template).toContain('audience:');
+        });
+        it('should use Express types', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain("from 'express'");
+            expect(template).toContain('Express');
+            expect(template).toContain('RequestHandler');
+        });
+        it('should export validateOAuthConfig function', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('export async function validateOAuthConfig');
+        });
+        it('should check well-known endpoint for OAuth server availability', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('.well-known/openid-configuration');
+        });
+        it('should throw detailed error when OIDC discovery fails', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('Failed to fetch OIDC discovery document');
+            expect(template).toContain('OAUTH_ISSUER_URL environment variable');
+            expect(template).toContain('OAuth server is running and accessible');
+        });
+        it('should fetch OAuth metadata from OIDC discovery endpoint', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('OIDCDiscoveryDocument');
+            expect(template).toContain('authorization_endpoint');
+            expect(template).toContain('token_endpoint');
+            expect(template).toContain('oauthMetadata = {');
+        });
+        it('should use timeout for OAuth server validation requests', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('AbortSignal.timeout(5000)');
+        });
+        it('should extract client ID from JWT claims', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain('azp');
+            expect(template).toContain('client_id');
+            expect(template).toContain('sub');
+        });
+        it('should extract scopes from JWT scope claim', () => {
+            const template = getAuthTemplate();
+            expect(template).toContain("jwtPayload.scope.split(' ')");
+        });
+    });
+});

package/dist/templates/stateful-streamable-http/index.d.ts

@@ -1,3 +1,7 @@
-export declare function getIndexTemplate(): string;
+export interface TemplateOptions {
+    withOAuth?: boolean;
+}
+export declare function getIndexTemplate(options?: TemplateOptions): string;
 export { getServerTemplate } from './server.js';
 export { getReadmeTemplate } from './readme.js';
+export { getAuthTemplate } from './auth.js';

package/dist/templates/stateful-streamable-http/index.js

@@ -1,17 +1,46 @@
-export function getIndexTemplate() {
-    return `import { type Request, type Response } from 'express';
+export function getIndexTemplate(options) {
+    const withOAuth = options?.withOAuth ?? false;
+    const imports = withOAuth
+        ? `import { type Request, type Response } from 'express';
 import { randomUUID } from 'node:crypto';
 import { createMcpExpressApp } from '@modelcontextprotocol/sdk/server/express.js';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
 import { getServer } from './server.js';
-
-const app = createMcpExpressApp();
+import {
+  setupAuthMetadataRouter,
+  authMiddleware,
+  getOAuthMetadataUrl,
+  validateOAuthConfig,
+} from './auth.js';`
+        : `import { type Request, type Response } from 'express';
+import { randomUUID } from 'node:crypto';
+import { createMcpExpressApp } from '@modelcontextprotocol/sdk/server/express.js';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
+import { getServer } from './server.js';`;
+    const appSetup = `const app = createMcpExpressApp();`;
+    const postRoute = withOAuth
+        ? `app.post('/mcp', authMiddleware, async (req: Request, res: Response) => {`
+        : `app.post('/mcp', async (req: Request, res: Response) => {`;
+    const getRoute = withOAuth
+        ? `app.get('/mcp', authMiddleware, async (req: Request, res: Response) => {`
+        : `app.get('/mcp', async (req: Request, res: Response) => {`;
+    const deleteRoute = withOAuth
+        ? `app.delete('/mcp', authMiddleware, async (req: Request, res: Response) => {`
+        : `app.delete('/mcp', async (req: Request, res: Response) => {`;
+    const startupLog = withOAuth
+        ? `console.log(\`MCP Stateful HTTP Server listening on port \${PORT}\`);
+    console.log(\`OAuth metadata available at \${getOAuthMetadataUrl()}\`);`
+        : `console.log(\`MCP Stateful HTTP Server listening on port \${PORT}\`);`;
+    return `${imports}
+
+${appSetup}
 
 // Map to store transports by session ID
 const transports: { [sessionId: string]: StreamableHTTPServerTransport } = {};
 
-app.post('/mcp', async (req: Request, res: Response) => {
+${postRoute}
   const sessionId = req.headers['mcp-session-id'] as string | undefined;
   if (sessionId) {
     console.log(\`Received MCP request for session: \${sessionId}\`);
@@ -79,7 +108,7 @@ app.post('/mcp', async (req: Request, res: Response) => {
   }
 });
 
-app.get('/mcp', async (req: Request, res: Response) => {
+${getRoute}
   const sessionId = req.headers['mcp-session-id'] as string | undefined;
   if (!sessionId || !transports[sessionId]) {
     res.status(400).send('Invalid or missing session ID');
@@ -91,7 +120,7 @@ app.get('/mcp', async (req: Request, res: Response) => {
   await transport.handleRequest(req, res);
 });
 
-app.delete('/mcp', async (req: Request, res: Response) => {
+${deleteRoute}
   const sessionId = req.headers['mcp-session-id'] as string | undefined;
   if (!sessionId || !transports[sessionId]) {
     res.status(400).send('Invalid or missing session ID');
@@ -111,11 +140,31 @@ app.delete('/mcp', async (req: Request, res: Response) => {
   }
 });
 
-// Start the server
+${withOAuth
+        ? `// Start the server
+const PORT = process.env.PORT || 3000;
+
+async function main() {
+  // Validate OAuth configuration and fetch OIDC discovery document
+  await validateOAuthConfig();
+
+  // Setup OAuth metadata routes (must be after validateOAuthConfig)
+  setupAuthMetadataRouter(app);
+
+  app.listen(PORT, () => {
+    ${startupLog}
+  });
+}
+
+main().catch((error) => {
+  console.error('Failed to start server:', error.message);
+  process.exit(1);
+});`
+        : `// Start the server
 const PORT = process.env.PORT || 3000;
 app.listen(PORT, () => {
-  console.log(\`MCP Stateful HTTP Server listening on port \${PORT}\`);
-});
+  ${startupLog}
+});`}
 
 // Handle server shutdown
 process.on('SIGINT', async () => {
@@ -138,3 +187,4 @@ process.on('SIGINT', async () => {
 }
 export { getServerTemplate } from './server.js';
 export { getReadmeTemplate } from './readme.js';
+export { getAuthTemplate } from './auth.js';

package/dist/templates/stateful-streamable-http/readme.d.ts

@@ -1 +1,2 @@
-export declare function getReadmeTemplate(projectName: string): string;
+import type { TemplateOptions } from './index.js';
+export declare function getReadmeTemplate(projectName: string, options?: TemplateOptions): string;

package/dist/templates/stateful-streamable-http/readme.js

@@ -1,7 +1,81 @@
-export function getReadmeTemplate(projectName) {
+export function getReadmeTemplate(projectName, options) {
+    const withOAuth = options?.withOAuth ?? false;
+    const description = withOAuth
+        ? 'A stateful streamable HTTP MCP (Model Context Protocol) server with session management and OAuth authentication.'
+        : 'A stateful streamable HTTP MCP (Model Context Protocol) server with session management.';
+    const oauthSection = withOAuth
+        ? `
+## OAuth Authentication
+
+This server uses OAuth 2.0 with JWT tokens for authentication. It works with any OIDC-compliant provider including:
+- Auth0
+- Keycloak
+- Azure AD / Entra ID
+- Okta
+- And more...
+
+### Environment Variables
+
+| Variable | Description | Example |
+|----------|-------------|---------|
+| \`OAUTH_ISSUER_URL\` | Base URL of your OAuth provider | \`https://your-tenant.auth0.com\` |
+| \`OAUTH_AUDIENCE\` | API identifier / audience claim (optional) | \`https://your-api.com\` |
+
+### Provider-Specific Issuer URLs
+
+| Provider | Issuer URL Format |
+|----------|-------------------|
+| Auth0 | \`https://{tenant}.auth0.com\` |
+| Keycloak | \`http://{host}:{port}/realms/{realm}\` |
+| Azure AD | \`https://login.microsoftonline.com/{tenant}/v2.0\` |
+| Okta | \`https://{domain}.okta.com/oauth2/default\` |
+
+### How It Works
+
+1. The server fetches public keys from \`{OAUTH_ISSUER_URL}/.well-known/jwks.json\`
+2. Incoming JWT tokens are verified locally using these keys
+3. The token's \`iss\` (issuer) and optionally \`aud\` (audience) claims are validated
+
+### Protected Resource Metadata
+
+- **GET /.well-known/oauth-protected-resource** - OAuth protected resource metadata
+
+### Token Requirements
+
+- All MCP endpoints require a valid JWT Bearer token in the \`Authorization\` header
+- Tokens must be signed by the configured OAuth provider
+- If \`OAUTH_AUDIENCE\` is set, the token's \`aud\` claim must match
+`
+        : '';
+    const apiEndpointsOAuthNote = withOAuth
+        ? '\n  - Requires valid Bearer token in Authorization header'
+        : '';
+    const projectStructure = withOAuth
+        ? `\`\`\`
+${projectName}/
+├── src/
+│   ├── server.ts     # MCP server definition (tools, prompts, resources)
+│   ├── index.ts      # Express app and stateful HTTP transport setup
+│   └── auth.ts       # OAuth configuration and middleware
+├── package.json
+├── tsconfig.json
+└── README.md
+\`\`\``
+        : `\`\`\`
+${projectName}/
+├── src/
+│   ├── server.ts     # MCP server definition (tools, prompts, resources)
+│   └── index.ts      # Express app and stateful HTTP transport setup
+├── package.json
+├── tsconfig.json
+└── README.md
+\`\`\``;
+    const customizationOAuthNote = withOAuth
+        ? '\n- Configure OAuth scopes and token verification in `src/auth.ts`'
+        : '';
     return `# ${projectName}
 
-A stateful streamable HTTP MCP (Model Context Protocol) server with session management.
+${description}
 
 ## About
 
@@ -22,16 +96,16 @@ npm start
 \`\`\`
 
 The server will start on port 3000 by default. You can change this by setting the \`PORT\` environment variable.
-
+${oauthSection}
 ## API Endpoints
 
 - **POST /mcp** - Main MCP endpoint for JSON-RPC messages
   - First request must be an initialization request (no session ID required)
-  - Subsequent requests must include \`mcp-session-id\` header
+  - Subsequent requests must include \`mcp-session-id\` header${apiEndpointsOAuthNote}
 - **GET /mcp** - Server-Sent Events (SSE) stream for server-initiated messages
-  - Requires \`mcp-session-id\` header
+  - Requires \`mcp-session-id\` header${apiEndpointsOAuthNote}
 - **DELETE /mcp** - Terminate a session
-  - Requires \`mcp-session-id\` header
+  - Requires \`mcp-session-id\` header${apiEndpointsOAuthNote}
 
 ## Session Management
 
@@ -63,20 +137,12 @@ This server comes with example implementations to help you get started:
 
 ## Project Structure
 
-\`\`\`
-${projectName}/
-├── src/
-│   ├── server.ts     # MCP server definition (tools, prompts, resources)
-│   └── index.ts      # Express app and stateful HTTP transport setup
-├── package.json
-├── tsconfig.json
-└── README.md
-\`\`\`
+${projectStructure}
 
 ## Customization
 
 - Add new tools, prompts, and resources in \`src/server.ts\`
-- Modify the HTTP transport configuration in \`src/index.ts\`
+- Modify the HTTP transport configuration in \`src/index.ts\`${customizationOAuthNote}
 
 ## Learn More
 

package/dist/templates/stateful-streamable-http/templates.test.js

@@ -108,4 +108,91 @@ describe('stateful-streamable-http templates', () => {
             expect(template).toContain('DELETE /mcp');
         });
     });
+    describe('getIndexTemplate with OAuth', () => {
+        it('should include auth imports when OAuth enabled', () => {
+            const template = getIndexTemplate({ withOAuth: true });
+            expect(template).toContain("from './auth.js'");
+            expect(template).toContain('setupAuthMetadataRouter');
+            expect(template).toContain('authMiddleware');
+            expect(template).toContain('getOAuthMetadataUrl');
+        });
+        it('should import validateOAuthConfig when OAuth enabled', () => {
+            const template = getIndexTemplate({ withOAuth: true });
+            expect(template).toContain('validateOAuthConfig');
+        });
+        it('should setup auth metadata router when OAuth enabled', () => {
+            const template = getIndexTemplate({ withOAuth: true });
+            expect(template).toContain('setupAuthMetadataRouter(app)');
+        });
+        it('should apply auth middleware to routes when OAuth enabled', () => {
+            const template = getIndexTemplate({ withOAuth: true });
+            expect(template).toContain("app.post('/mcp', authMiddleware,");
+            expect(template).toContain("app.get('/mcp', authMiddleware,");
+            expect(template).toContain("app.delete('/mcp', authMiddleware,");
+        });
+        it('should log OAuth metadata URL on startup when OAuth enabled', () => {
+            const template = getIndexTemplate({ withOAuth: true });
+            expect(template).toContain('getOAuthMetadataUrl()');
+        });
+        it('should call validateOAuthConfig before starting server when OAuth enabled', () => {
+            const template = getIndexTemplate({ withOAuth: true });
+            expect(template).toContain('await validateOAuthConfig()');
+        });
+        it('should wrap server startup in async main function when OAuth enabled', () => {
+            const template = getIndexTemplate({ withOAuth: true });
+            expect(template).toContain('async function main()');
+            expect(template).toContain('main().catch');
+        });
+        it('should exit with error if OAuth validation fails', () => {
+            const template = getIndexTemplate({ withOAuth: true });
+            expect(template).toContain('Failed to start server');
+            expect(template).toContain('process.exit(1)');
+        });
+        it('should NOT include auth imports when OAuth disabled', () => {
+            const template = getIndexTemplate({ withOAuth: false });
+            expect(template).not.toContain("from './auth.js'");
+            expect(template).not.toContain('authMiddleware');
+        });
+        it('should NOT include auth imports by default', () => {
+            const template = getIndexTemplate();
+            expect(template).not.toContain("from './auth.js'");
+        });
+        it('should NOT wrap in async main when OAuth disabled', () => {
+            const template = getIndexTemplate({ withOAuth: false });
+            expect(template).not.toContain('async function main()');
+        });
+    });
+    describe('getReadmeTemplate with OAuth', () => {
+        it('should include OAuth section when enabled', () => {
+            const template = getReadmeTemplate(projectName, { withOAuth: true });
+            expect(template).toContain('## OAuth Authentication');
+            expect(template).toContain('OAUTH_ISSUER_URL');
+            expect(template).toContain('OAUTH_AUDIENCE');
+            expect(template).toContain('Bearer token');
+        });
+        it('should list supported OAuth providers', () => {
+            const template = getReadmeTemplate(projectName, { withOAuth: true });
+            expect(template).toContain('Auth0');
+            expect(template).toContain('Keycloak');
+            expect(template).toContain('Azure AD');
+            expect(template).toContain('Okta');
+        });
+        it('should document JWKS-based JWT validation', () => {
+            const template = getReadmeTemplate(projectName, { withOAuth: true });
+            expect(template).toContain('JWT');
+            expect(template).toContain('.well-known/jwks.json');
+        });
+        it('should include auth.ts in project structure when OAuth enabled', () => {
+            const template = getReadmeTemplate(projectName, { withOAuth: true });
+            expect(template).toContain('auth.ts');
+        });
+        it('should NOT include OAuth section when disabled', () => {
+            const template = getReadmeTemplate(projectName, { withOAuth: false });
+            expect(template).not.toContain('## OAuth Authentication');
+        });
+        it('should NOT include OAuth section by default', () => {
+            const template = getReadmeTemplate(projectName);
+            expect(template).not.toContain('## OAuth Authentication');
+        });
+    });
 });

package/dist/templates/streamable-http/index.d.ts

@@ -1,3 +1,6 @@
-export declare function getIndexTemplate(): string;
+export interface TemplateOptions {
+    withOAuth?: boolean;
+}
+export declare function getIndexTemplate(options?: TemplateOptions): string;
 export { getServerTemplate } from './server.js';
 export { getReadmeTemplate } from './readme.js';

package/dist/templates/streamable-http/index.js

@@ -1,4 +1,6 @@
-export function getIndexTemplate() {
+// Options parameter added for type consistency with stateful template (OAuth not supported in stateless)
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export function getIndexTemplate(options) {
     return `import { type Request, type Response } from 'express';
 import { createMcpExpressApp } from '@modelcontextprotocol/sdk/server/express.js';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';

package/dist/templates/streamable-http/readme.d.ts

@@ -1 +1,2 @@
-export declare function getReadmeTemplate(projectName: string): string;
+import type { TemplateOptions } from './index.js';
+export declare function getReadmeTemplate(projectName: string, options?: TemplateOptions): string;

package/dist/templates/streamable-http/readme.js

@@ -1,4 +1,6 @@
-export function getReadmeTemplate(projectName) {
+// Options parameter added for type consistency with stateful template (OAuth not supported in stateless)
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export function getReadmeTemplate(projectName, options) {
     return `# ${projectName}
 
 A stateless streamable HTTP MCP (Model Context Protocol) server.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agentailor/create-mcp-server",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Create a new MCP (Model Context Protocol) server project",
   "type": "module",
   "bin": {