@eventcatalog/core 3.39.5 → 3.40.0

package/dist/eventcatalog.js

@@ -13,8 +13,8 @@ import {
 } from "./chunk-K3ZVEX2Y.js";
 import {
   log_build_default
-} from "./chunk-KVAEAYEP.js";
-import "./chunk-H5BZMNK3.js";
+} from "./chunk-72BKUYSR.js";
+import "./chunk-WFNAWDCB.js";
 import "./chunk-4UVFXLPI.js";
 import {
   catalogToAstro
@@ -28,13 +28,13 @@ import {
 } from "./chunk-ULZYHF3V.js";
 import {
   generate
-} from "./chunk-S4HLJWQ7.js";
+} from "./chunk-K762FILQ.js";
 import {
   logger
-} from "./chunk-M4S7PORQ.js";
+} from "./chunk-J5CG7FRO.js";
 import {
   VERSION
-} from "./chunk-TNE5QSJ4.js";
+} from "./chunk-UPI6QQEZ.js";
 import {
   getEventCatalogConfigFile,
   verifyRequiredFieldsAreInCatalogConfigFile

package/dist/generate.cjs

@@ -78,7 +78,7 @@ var getEventCatalogConfigFile = async (projectDirectory) => {
 var import_picocolors = __toESM(require("picocolors"), 1);
 
 // package.json
-var version = "3.39.5";
+var version = "3.40.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/generate.js

@@ -1,8 +1,8 @@
 import {
   generate
-} from "./chunk-S4HLJWQ7.js";
-import "./chunk-M4S7PORQ.js";
-import "./chunk-TNE5QSJ4.js";
+} from "./chunk-K762FILQ.js";
+import "./chunk-J5CG7FRO.js";
+import "./chunk-UPI6QQEZ.js";
 import "./chunk-5T63CXKU.js";
 export {
   generate

package/dist/utils/cli-logger.cjs

@@ -36,7 +36,7 @@ module.exports = __toCommonJS(cli_logger_exports);
 var import_picocolors = __toESM(require("picocolors"), 1);
 
 // package.json
-var version = "3.39.5";
+var version = "3.40.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/utils/cli-logger.js

@@ -1,7 +1,7 @@
 import {
   logger
-} from "../chunk-M4S7PORQ.js";
-import "../chunk-TNE5QSJ4.js";
+} from "../chunk-J5CG7FRO.js";
+import "../chunk-UPI6QQEZ.js";
 export {
   logger
 };

package/eventcatalog/src/components/Badge.astro

@@ -0,0 +1,50 @@
+---
+import { getBadgeHref, getBadgeStyle } from '@utils/badge-styles';
+import { ArrowTopRightOnSquareIcon } from '@heroicons/react/20/solid';
+
+type Badge = {
+  id?: string;
+  content: string;
+  backgroundColor?: string;
+  textColor?: string;
+  icon?: any;
+  iconComponent?: any;
+  iconURL?: string;
+  class?: string;
+  url?: string;
+};
+
+type Props = {
+  badge: Badge;
+  className?: string;
+};
+
+const { badge, className = '' } = Astro.props;
+const href = getBadgeHref(badge);
+const Icon = badge.icon || badge.iconComponent;
+const classes = `
+  inline-flex items-center gap-2 px-3 py-1.5 rounded-lg text-sm font-medium
+  ${badge.backgroundColor ? 'bg-[rgb(var(--ec-content-hover))]' : 'bg-transparent'} border border-[rgb(var(--ec-page-border))]
+  text-[rgb(var(--ec-page-text))]
+  shadow-xs
+  ${badge.class ? badge.class : ''}
+  ${className}
+`;
+---
+
+{
+  href ? (
+    <a id={badge.id || undefined} href={href} class={classes} style={getBadgeStyle(badge)} title={badge.content}>
+      {Icon && <Icon className="w-4 h-4 flex-shrink-0" />}
+      {badge.iconURL && <img src={badge.iconURL} class="w-4 h-4 flex-shrink-0 opacity-80" alt="" />}
+      <span>{badge.content}</span>
+      <ArrowTopRightOnSquareIcon className="w-3.5 h-3.5 flex-shrink-0 opacity-70" aria-hidden="true" />
+    </a>
+  ) : (
+    <span id={badge.id || undefined} class={classes} style={getBadgeStyle(badge)} title={badge.content}>
+      {Icon && <Icon className="w-4 h-4 flex-shrink-0" />}
+      {badge.iconURL && <img src={badge.iconURL} class="w-4 h-4 flex-shrink-0 opacity-80" alt="" />}
+      <span>{badge.content}</span>
+    </span>
+  )
+}

package/eventcatalog/src/components/Tables/Discover/DiscoverTable.tsx

@@ -52,6 +52,7 @@ export interface DiscoverTableData {
       content: string;
       backgroundColor?: string;
       textColor?: string;
+      url?: string;
     }>;
     producers?: Array<any>;
     consumers?: Array<any>;

package/eventcatalog/src/components/Tables/Discover/columns.tsx

@@ -1,11 +1,17 @@
 import { createColumnHelper } from '@tanstack/react-table';
 import { useEffect, useMemo, useRef, useState } from 'react';
 import { DocumentTextIcon, MapIcon } from '@heroicons/react/24/solid';
-import { ArrowDownIcon, ArrowUpIcon, EllipsisVerticalIcon, StarIcon } from '@heroicons/react/24/outline';
+import {
+  ArrowDownIcon,
+  ArrowTopRightOnSquareIcon,
+  ArrowUpIcon,
+  EllipsisVerticalIcon,
+  StarIcon,
+} from '@heroicons/react/24/outline';
 import { buildUrl } from '@utils/url-builder';
 import { getColorAndIconForCollection } from '@utils/collections/icons';
 import { getCollectionTextColorClass } from '@utils/collection-colors';
-import { getBadgeReactStyle } from '@utils/badge-styles';
+import { getBadgeHref, getBadgeReactStyle } from '@utils/badge-styles';
 import { isIconPath, resolveIconUrl } from '@utils/icon';
 import { useStore } from '@nanostores/react';
 import { favoritesStore, toggleFavorite, type FavoriteItem } from '../../../stores/favorites-store';
@@ -15,7 +21,11 @@ import type { TableConfiguration } from '@types';
 const columnHelper = createColumnHelper<DiscoverTableData>();
 
 // Badge cell component (proper React component to use hooks)
-const BadgesCell = ({ badges }: { badges: Array<{ content: string; backgroundColor?: string; textColor?: string }> }) => {
+const BadgesCell = ({
+  badges,
+}: {
+  badges: Array<{ content: string; backgroundColor?: string; textColor?: string; url?: string }>;
+}) => {
   const [isExpanded, setIsExpanded] = useState(false);
 
   if (!badges || badges.length === 0) return <span className="text-xs text-[rgb(var(--ec-icon-color))]">-</span>;
@@ -25,16 +35,28 @@ const BadgesCell = ({ badges }: { badges: Array<{ content: string; backgroundCol
 
   return (
     <div className="flex flex-col gap-1 items-start">
-      {visibleItems.map((badge, index) => (
-        <span
-          key={`${badge.content}-${index}`}
-          className="inline-flex items-center px-2 py-0.5 text-[11px] font-normal rounded-md max-w-[140px] truncate border border-[rgb(var(--ec-page-border))] text-[rgb(var(--ec-page-text-muted))] bg-transparent"
-          style={getBadgeReactStyle(badge)}
-          title={badge.content}
-        >
-          {badge.content}
-        </span>
-      ))}
+      {visibleItems.map((badge, index) => {
+        const href = getBadgeHref(badge);
+        const className =
+          'inline-flex items-center px-2 py-0.5 text-[11px] font-normal rounded-md max-w-[140px] truncate border border-[rgb(var(--ec-page-border))] text-[rgb(var(--ec-page-text-muted))] bg-transparent';
+
+        return href ? (
+          <a
+            key={`${badge.content}-${index}`}
+            href={href}
+            className={className}
+            style={getBadgeReactStyle(badge)}
+            title={badge.content}
+          >
+            <span className="truncate">{badge.content}</span>
+            <ArrowTopRightOnSquareIcon className="ml-1 h-3 w-3 shrink-0 opacity-70" aria-hidden="true" />
+          </a>
+        ) : (
+          <span key={`${badge.content}-${index}`} className={className} style={getBadgeReactStyle(badge)} title={badge.content}>
+            {badge.content}
+          </span>
+        );
+      })}
       {hiddenCount > 0 && (
         <button onClick={() => setIsExpanded(!isExpanded)} className="text-xs text-[rgb(var(--ec-accent))] hover:underline">
           {isExpanded ? 'less' : `+${hiddenCount}`}

package/eventcatalog/src/components/Tables/Table.tsx

@@ -58,6 +58,7 @@ export type TData<T extends TCollectionTypes> = {
       backgroundColor: string;
       textColor: string;
       icon: any; // Where is it defined?
+      url?: string;
     }>;
     // ---------------------------------------------------------------------------
     // Domains

package/eventcatalog/src/components/Tables/columns/SharedColumns.tsx

@@ -1,6 +1,7 @@
 import { createColumnHelper } from '@tanstack/react-table';
 import { useState } from 'react';
-import { getBadgeReactStyle } from '@utils/badge-styles';
+import { ArrowTopRightOnSquareIcon } from '@heroicons/react/20/solid';
+import { getBadgeHref, getBadgeReactStyle } from '@utils/badge-styles';
 import { filterByBadge } from '../filters/custom-filters';
 import type { TCollectionTypes, TData } from '../Table';
 import type { TableConfiguration } from '@types';
@@ -24,16 +25,28 @@ export const createBadgesColumn = <T extends { data: Pick<TData<U>['data'], 'bad
 
       return (
         <div className="flex flex-wrap gap-1 items-center">
-          {visibleItems.map((badge, index) => (
-            <span
-              key={`${badge.id}-${index}`}
-              className="inline-flex items-center px-2 py-0.5 text-xs font-medium rounded-md border border-[rgb(var(--ec-accent)/0.5)] text-[rgb(var(--ec-page-text))] bg-transparent"
-              style={getBadgeReactStyle(badge)}
-              title={badge.content}
-            >
-              {badge.content}
-            </span>
-          ))}
+          {visibleItems.map((badge, index) => {
+            const href = getBadgeHref(badge);
+            const className =
+              'inline-flex items-center px-2 py-0.5 text-xs font-medium rounded-md border border-[rgb(var(--ec-accent)/0.5)] text-[rgb(var(--ec-page-text))] bg-transparent';
+
+            return href ? (
+              <a
+                key={`${badge.id}-${index}`}
+                href={href}
+                className={className}
+                style={getBadgeReactStyle(badge)}
+                title={badge.content}
+              >
+                <span>{badge.content}</span>
+                <ArrowTopRightOnSquareIcon className="ml-1 h-3 w-3 shrink-0 opacity-70" aria-hidden="true" />
+              </a>
+            ) : (
+              <span key={`${badge.id}-${index}`} className={className} style={getBadgeReactStyle(badge)} title={badge.content}>
+                {badge.content}
+              </span>
+            );
+          })}
           {hiddenCount > 0 && (
             <button onClick={() => setIsExpanded(!isExpanded)} className="text-xs text-[rgb(var(--ec-accent))] hover:underline">
               {isExpanded ? 'less' : `+${hiddenCount}`}

package/eventcatalog/src/content.config-shared-collections.ts

@@ -6,6 +6,7 @@ export const badge = z.object({
   backgroundColor: z.string(),
   textColor: z.string(),
   icon: z.string().optional(),
+  url: z.string().optional(),
 });
 
 // Create a union type for owners

package/eventcatalog/src/enterprise/auth/middleware/middleware-auth.ts

@@ -6,7 +6,7 @@
 // src/middleware/auth.ts
 import type { MiddlewareHandler } from 'astro';
 import { getSession } from 'auth-astro/server';
-import { isAuthEnabled } from '@utils/feature';
+import { isAuthEnabled, isEventCatalogMCPAuthEnabled } from '@utils/feature';
 import jwt from 'jsonwebtoken';
 import { isLLMSTxtEnabled } from '@utils/feature';
 
@@ -97,6 +97,10 @@ export function getPublicRoutes(isLLMSTextEnabled: boolean) {
   ];
 }
 
+export function isMcpRoute(pathname: string) {
+  return pathname === '/docs/mcp' || pathname.startsWith('/docs/mcp/');
+}
+
 export const authMiddleware: MiddlewareHandler = async (context, next) => {
   const { request, redirect, locals } = context;
   const url = new URL(request.url);
@@ -118,6 +122,7 @@ export const authMiddleware: MiddlewareHandler = async (context, next) => {
 
   if (
     pathname.startsWith('/_') ||
+    (isEventCatalogMCPAuthEnabled() && isMcpRoute(pathname)) ||
     systemRoutes.some((route) => pathname.startsWith(route)) ||
     pathname.startsWith('/.well-known/') ||
     publicRoutes.some((route) => pathname.startsWith(route)) ||

package/eventcatalog/src/enterprise/custom-documentation/pages/docs/custom/index.astro

@@ -5,6 +5,7 @@ import config from '@config';
 import { AlignLeftIcon, UserIcon, UsersIcon } from 'lucide-react';
 
 import mdxComponents from '@components/MDX/components';
+import Badge from '@components/Badge.astro';
 
 import { getOwner } from '@utils/collections/owners';
 import { buildUrl, buildEditUrlForResource } from '@utils/url-builder';
@@ -117,24 +118,7 @@ const editUrl =
                 badges && badges.length > 0 && (
                   <div class="flex flex-wrap gap-3 py-2">
                     {badges.map((badge: any) => {
-                      return (
-                        <a href={badge.url || '#'}>
-                          <span
-                            id={badge.id || ''}
-                            class={`
-                              inline-flex items-center gap-2 px-3 py-1.5 rounded-lg text-sm font-medium
-                              bg-[rgb(var(--ec-content-hover))] border border-[rgb(var(--ec-page-border))]
-                              text-[rgb(var(--ec-page-text))]
-                              shadow-xs
-                              ${badge.class ? badge.class : ''}
-                            `}
-                          >
-                            {badge.icon && <badge.icon className="w-4 h-4 flex-shrink-0 text-[rgb(var(--ec-icon-color))]" />}
-                            {badge.iconURL && <img src={badge.iconURL} class="w-4 h-4 flex-shrink-0 opacity-80" alt="" />}
-                            <span>{badge.content}</span>
-                          </span>
-                        </a>
-                      );
+                      return <Badge badge={badge} />;
                     })}
                   </div>
                 )

package/eventcatalog/src/enterprise/feature.ts

@@ -66,6 +66,8 @@ export const isDiagramComparisonEnabled = () => isEventCatalogScaleEnabled();
 
 export const isEventCatalogMCPEnabled = () => isEventCatalogScaleEnabled() && isSSR();
 
+export const isEventCatalogMCPAuthEnabled = () => isEventCatalogMCPEnabled() && (config?.mcp?.auth?.enabled ?? false);
+
 export const isIntegrationsEnabled = () => isEventCatalogScaleEnabled();
 
 export const isExportPDFEnabled = () => true;

package/eventcatalog/src/enterprise/integrations/eventcatalog-features.ts

@@ -12,6 +12,7 @@ import {
   isEventCatalogScaleEnabled,
   isEventCatalogStarterEnabled,
   isEventCatalogMCPEnabled,
+  isEventCatalogMCPAuthEnabled,
   isFullCatalogAPIEnabled,
   isDevMode,
   isIntegrationsEnabled,
@@ -72,6 +73,17 @@ export default function eventCatalogIntegration(): AstroIntegration {
           });
         }
 
+        if (isEventCatalogMCPAuthEnabled()) {
+          params.injectRoute({
+            pattern: '/.well-known/oauth-protected-resource',
+            entrypoint: path.join(catalogDirectory, 'src/enterprise/mcp/oauth-protected-resource.ts'),
+          });
+          params.injectRoute({
+            pattern: '/.well-known/oauth-protected-resource/[...path]',
+            entrypoint: path.join(catalogDirectory, 'src/enterprise/mcp/oauth-protected-resource.ts'),
+          });
+        }
+
         // Handle routes for authentication
         if (isAuthEnabled()) {
           configureAuthentication(params);

package/eventcatalog/src/enterprise/mcp/mcp-auth.ts

@@ -0,0 +1,266 @@
+/**
+ * Licensed under the EventCatalog Commercial License.
+ * See /packages/core/eventcatalog/src/enterprise/LICENSE
+ */
+
+import jwt, { type Algorithm, type JwtPayload } from 'jsonwebtoken';
+import { createPublicKey, type JsonWebKey, type KeyObject } from 'node:crypto';
+import config from '../../../eventcatalog.config.js';
+import type { Config } from '../../../../src/eventcatalog.config';
+
+type ConfiguredMcpAuth = NonNullable<NonNullable<Config['mcp']>['auth']>;
+
+export type McpAuthConfig = ConfiguredMcpAuth;
+
+type TokenClaims = JwtPayload & {
+  scope?: string;
+  scp?: string[];
+};
+
+type JwksKey = JsonWebKey & {
+  kid?: string;
+};
+
+type AuthFailure = {
+  ok: false;
+  status: 401 | 403;
+  error: string;
+  description: string;
+  requiredScopes: string[];
+  metadataUrl: string;
+};
+
+export type McpAuthResult =
+  | {
+      ok: true;
+      claims?: TokenClaims;
+    }
+  | AuthFailure;
+
+const jwksCache = new Map<string, { expiresAt: number; keys: JwksKey[] }>();
+
+const quote = (value: string) => `"${value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`;
+
+export const getMcpAuthConfig = (): McpAuthConfig | undefined => config?.mcp?.auth;
+
+export const isMcpAuthEnabled = (
+  authConfig: McpAuthConfig | undefined = getMcpAuthConfig()
+): authConfig is McpAuthConfig & { enabled: true } => authConfig?.enabled === true;
+
+export function getMcpResourceUrl(request: Request, authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  if (authConfig?.resource) return authConfig.resource;
+  return new URL('/docs/mcp', request.url).href;
+}
+
+export function getMcpProtectedResourceMetadataUrl(request: Request, authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  if (authConfig?.protectedResourceMetadataUrl) return authConfig.protectedResourceMetadataUrl;
+  return new URL('/.well-known/oauth-protected-resource', request.url).href;
+}
+
+export function getMcpRequiredScopes(authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  return authConfig?.requiredScopes ?? [];
+}
+
+export function getMcpProtectedResourceMetadata(request: Request, authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  if (!isMcpAuthEnabled(authConfig)) return undefined;
+
+  return {
+    resource: getMcpResourceUrl(request, authConfig),
+    authorization_servers: authConfig?.authorizationServers ?? [],
+    scopes_supported: getMcpRequiredScopes(authConfig),
+  };
+}
+
+export function createWwwAuthenticateHeader(failure: AuthFailure) {
+  const params = [
+    `realm=${quote('mcp')}`,
+    `resource_metadata=${quote(failure.metadataUrl)}`,
+    failure.requiredScopes.length > 0 ? `scope=${quote(failure.requiredScopes.join(' '))}` : undefined,
+    failure.error ? `error=${quote(failure.error)}` : undefined,
+    failure.description ? `error_description=${quote(failure.description)}` : undefined,
+  ].filter(Boolean);
+
+  return `Bearer ${params.join(', ')}`;
+}
+
+export function createMcpAuthErrorResponse(failure: AuthFailure) {
+  return new Response(JSON.stringify({ error: failure.error, message: failure.description }), {
+    status: failure.status,
+    headers: {
+      'Content-Type': 'application/json',
+      'WWW-Authenticate': createWwwAuthenticateHeader(failure),
+    },
+  });
+}
+
+export async function validateMcpRequest(
+  request: Request,
+  authConfig: McpAuthConfig | undefined = getMcpAuthConfig()
+): Promise<McpAuthResult> {
+  if (!isMcpAuthEnabled(authConfig)) return { ok: true };
+
+  const metadataUrl = getMcpProtectedResourceMetadataUrl(request, authConfig);
+  const requiredScopes = getMcpRequiredScopes(authConfig);
+  const authHeader = request.headers.get('Authorization');
+  const bearerMatch = authHeader?.match(/^Bearer\s+(.*)$/i);
+
+  if (!bearerMatch) {
+    return {
+      ok: false,
+      status: 401,
+      error: 'invalid_token',
+      description: 'Missing Bearer access token',
+      requiredScopes,
+      metadataUrl,
+    };
+  }
+
+  const token = bearerMatch[1].trim();
+
+  if (!token) {
+    return {
+      ok: false,
+      status: 401,
+      error: 'invalid_token',
+      description: 'Missing Bearer access token',
+      requiredScopes,
+      metadataUrl,
+    };
+  }
+
+  try {
+    const claims = await verifyAccessToken(token, request, authConfig);
+    const missingScopes = getMissingScopes(claims, requiredScopes);
+
+    if (missingScopes.length > 0) {
+      return {
+        ok: false,
+        status: 403,
+        error: 'insufficient_scope',
+        description: `Missing required scope${missingScopes.length > 1 ? 's' : ''}: ${missingScopes.join(' ')}`,
+        requiredScopes,
+        metadataUrl,
+      };
+    }
+
+    return { ok: true, claims };
+  } catch {
+    return {
+      ok: false,
+      status: 401,
+      error: 'invalid_token',
+      description: 'Invalid or expired Bearer access token',
+      requiredScopes,
+      metadataUrl,
+    };
+  }
+}
+
+async function verifyAccessToken(token: string, request: Request, authConfig: McpAuthConfig): Promise<TokenClaims> {
+  const decoded = jwt.decode(token, { complete: true });
+  const algorithm = decoded && typeof decoded === 'object' ? (decoded.header.alg as Algorithm | undefined) : undefined;
+
+  if (!algorithm || algorithm === 'none') {
+    throw new Error('Unsupported JWT algorithm');
+  }
+
+  const key = await getVerificationKey(token, authConfig);
+  const audience = getJwtAudience(authConfig.audience ?? getMcpResourceUrl(request, authConfig));
+
+  const payload = jwt.verify(token, key, {
+    audience,
+    issuer: authConfig.issuer,
+    algorithms: [algorithm],
+    clockTolerance: 5,
+  });
+
+  if (!payload || typeof payload === 'string') {
+    throw new Error('Invalid JWT payload');
+  }
+
+  return payload as TokenClaims;
+}
+
+async function getVerificationKey(token: string, authConfig: McpAuthConfig): Promise<string | Buffer | KeyObject> {
+  const sharedSecret = getConfiguredValue(authConfig.sharedSecret, authConfig.sharedSecretEnvVar);
+  if (sharedSecret) return sharedSecret;
+
+  const publicKey = getConfiguredValue(authConfig.publicKey, authConfig.publicKeyEnvVar);
+  if (publicKey) return publicKey;
+
+  if (authConfig.jwksUri) {
+    return getJwksVerificationKey(token, authConfig.jwksUri);
+  }
+
+  throw new Error('MCP auth requires jwksUri, publicKey, publicKeyEnvVar, sharedSecret, or sharedSecretEnvVar');
+}
+
+function getConfiguredValue(value: string | undefined, envVar: string | undefined) {
+  if (value) return value;
+  if (envVar) return process.env[envVar];
+  return undefined;
+}
+
+async function getJwksVerificationKey(token: string, jwksUri: string) {
+  const decoded = jwt.decode(token, { complete: true });
+  const kid = decoded && typeof decoded === 'object' ? decoded.header.kid : undefined;
+  const keys = await getJwksKeys(jwksUri);
+  const jwk = keys.find((key) => (kid ? key.kid === kid : keys.length === 1));
+
+  if (!jwk) {
+    throw new Error('No matching JWKS key found for token');
+  }
+
+  return createPublicKey({ key: jwk, format: 'jwk' });
+}
+
+function getJwtAudience(audience: string | string[]) {
+  if (Array.isArray(audience)) {
+    if (audience.length === 0) return undefined;
+    return audience as [string, ...string[]];
+  }
+
+  return audience;
+}
+
+async function getJwksKeys(jwksUri: string): Promise<JwksKey[]> {
+  const cached = jwksCache.get(jwksUri);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.keys;
+  }
+
+  const response = await fetch(jwksUri, {
+    headers: {
+      Accept: 'application/json',
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch JWKS: ${response.status}`);
+  }
+
+  const body = (await response.json()) as { keys?: JwksKey[] };
+  const keys = body.keys ?? [];
+  jwksCache.set(jwksUri, { keys, expiresAt: Date.now() + 5 * 60 * 1000 });
+  return keys;
+}
+
+function getMissingScopes(claims: TokenClaims, requiredScopes: string[]) {
+  if (requiredScopes.length === 0) return [];
+
+  const scopes = new Set<string>();
+
+  if (typeof claims.scope === 'string') {
+    for (const scope of claims.scope.split(/\s+/)) {
+      if (scope) scopes.add(scope);
+    }
+  }
+
+  if (Array.isArray(claims.scp)) {
+    for (const scope of claims.scp) {
+      scopes.add(scope);
+    }
+  }
+
+  return requiredScopes.filter((scope) => !scopes.has(scope));
+}

package/eventcatalog/src/enterprise/mcp/mcp-server.ts

@@ -32,6 +32,7 @@ import {
   toolDescriptions,
 } from '@enterprise/tools/catalog-tools';
 import { getCollection } from 'astro:content';
+import { createMcpAuthErrorResponse, validateMcpRequest } from './mcp-auth';
 
 const catalogDirectory = process.env.PROJECT_DIR || process.cwd();
 
@@ -462,6 +463,12 @@ const mcpResources = [
 
 // Health check endpoint
 app.get('/', async (c: Context) => {
+  const auth = await validateMcpRequest(c.req.raw);
+
+  if (!auth.ok) {
+    return createMcpAuthErrorResponse(auth);
+  }
+
   return c.json({
     name: 'EventCatalog MCP Server',
     version: '1.0.0',
@@ -475,6 +482,12 @@ app.get('/', async (c: Context) => {
 // MCP protocol endpoint - handles POST requests for MCP protocol
 app.post('/', async (c: Context) => {
   try {
+    const auth = await validateMcpRequest(c.req.raw);
+
+    if (!auth.ok) {
+      return createMcpAuthErrorResponse(auth);
+    }
+
     // Create fresh server and transport per request — the MCP SDK's
     // WebStandardStreamableHTTPServerTransport is single-use in stateless
     // mode: it sets _hasHandledRequest=true after the first call and throws