@eventcatalog/core 3.39.6 → 3.40.0

package/dist/analytics/analytics.cjs

@@ -37,7 +37,7 @@ var import_axios = __toESM(require("axios"), 1);
 var import_os = __toESM(require("os"), 1);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/analytics/analytics.js

@@ -1,7 +1,7 @@
 import {
   raiseEvent
-} from "../chunk-ORVOST63.js";
-import "../chunk-IKZ5ITXP.js";
+} from "../chunk-WFNAWDCB.js";
+import "../chunk-UPI6QQEZ.js";
 export {
   raiseEvent
 };

package/dist/analytics/log-build.cjs

@@ -111,7 +111,7 @@ var import_axios = __toESM(require("axios"), 1);
 var import_os = __toESM(require("os"), 1);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/analytics/log-build.js

@@ -1,9 +1,9 @@
 import {
   log_build_default
-} from "../chunk-MQAZ4LXP.js";
-import "../chunk-ORVOST63.js";
+} from "../chunk-72BKUYSR.js";
+import "../chunk-WFNAWDCB.js";
 import "../chunk-4UVFXLPI.js";
-import "../chunk-IKZ5ITXP.js";
+import "../chunk-UPI6QQEZ.js";
 import "../chunk-5T63CXKU.js";
 export {
   log_build_default as default

package/dist/{chunk-MQAZ4LXP.js → chunk-72BKUYSR.js}

@@ -1,6 +1,6 @@
 import {
   raiseEvent
-} from "./chunk-ORVOST63.js";
+} from "./chunk-WFNAWDCB.js";
 import {
   countResources,
   serializeCounts

package/dist/{chunk-4OSFLWLG.js → chunk-J5CG7FRO.js}

@@ -1,6 +1,6 @@
 import {
   VERSION
-} from "./chunk-IKZ5ITXP.js";
+} from "./chunk-UPI6QQEZ.js";
 
 // src/utils/cli-logger.ts
 import pc from "picocolors";

package/dist/{chunk-LEUIMTEQ.js → chunk-K762FILQ.js}

@@ -1,6 +1,6 @@
 import {
   logger
-} from "./chunk-4OSFLWLG.js";
+} from "./chunk-J5CG7FRO.js";
 import {
   cleanup,
   getEventCatalogConfigFile

package/dist/{chunk-IKZ5ITXP.js → chunk-UPI6QQEZ.js}

@@ -1,5 +1,5 @@
 // package.json
-var version = "3.39.6";
+var version = "3.40.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/{chunk-ORVOST63.js → chunk-WFNAWDCB.js}

@@ -1,6 +1,6 @@
 import {
   VERSION
-} from "./chunk-IKZ5ITXP.js";
+} from "./chunk-UPI6QQEZ.js";
 
 // src/analytics/analytics.js
 import axios from "axios";

package/dist/constants.cjs

@@ -25,7 +25,7 @@ __export(constants_exports, {
 module.exports = __toCommonJS(constants_exports);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/constants.js

@@ -1,6 +1,6 @@
 import {
   VERSION
-} from "./chunk-IKZ5ITXP.js";
+} from "./chunk-UPI6QQEZ.js";
 export {
   VERSION
 };

package/dist/docs/development/ask-your-architecture/03-mcp-server/getting-started.md

@@ -45,6 +45,78 @@ Visit the endpoint in your browser to verify. It returns available tools and res
 }
 ```
 
+### Protect with OAuth
+
+<AddedIn version="3.40.0" />
+
+The built-in MCP server can be protected with OAuth Bearer tokens, following the MCP authorization specification for HTTP transports.
+
+EventCatalog acts as the OAuth protected resource server for `/docs/mcp`. Your identity provider or authorization server remains responsible for user login, consent, client registration, `/authorize`, `/oauth/token`, and token refresh.
+
+Configure MCP authorization in `eventcatalog.config.js`:
+
+```js title="eventcatalog.config.js"
+module.exports = {
+  output: 'server',
+  mcp: {
+    auth: {
+      enabled: true,
+      resource: 'https://your-eventcatalog.com/docs/mcp',
+      authorizationServers: ['https://auth.example.com'],
+      issuer: 'https://auth.example.com',
+      audience: 'https://your-eventcatalog.com/docs/mcp',
+      requiredScopes: ['catalog:read'],
+      jwksUri: 'https://auth.example.com/.well-known/jwks.json',
+    },
+  },
+};
+```
+
+When enabled, EventCatalog serves protected resource metadata at `/.well-known/oauth-protected-resource`. Unauthenticated MCP clients receive a `401 Unauthorized` response with a `WWW-Authenticate` header pointing at that document. MCP clients then obtain an access token from the advertised authorization server and call `/docs/mcp` with:
+
+```http
+Authorization: Bearer <access-token>
+```
+
+The access token must be valid, unexpired, issued by the configured issuer, intended for the configured audience, and include all required scopes.
+
+#### Key signing options
+
+Choose one of the following strategies for token validation:
+
+| Strategy | Config fields |
+|---|---|
+| JWKS endpoint (recommended) | `jwksUri` |
+| Inline asymmetric public key | `publicKey` or `publicKeyEnvVar` |
+| Symmetric shared secret | `sharedSecret` or `sharedSecretEnvVar` |
+
+Prefer `publicKeyEnvVar` or `sharedSecretEnvVar` over inline values to avoid committing secrets to source control.
+
+#### All options
+
+| Field | Required | Description |
+|---|---|---|
+| `enabled` | Yes | Enables OAuth Bearer token validation |
+| `resource` | No | Absolute URL of the MCP resource. Set this explicitly when behind a proxy |
+| `protectedResourceMetadataUrl` | No | URL for the protected resource metadata document. Defaults to `/.well-known/oauth-protected-resource` |
+| `authorizationServers` | No | Authorization server URLs advertised to MCP clients |
+| `issuer` | No | Expected token issuer (`iss` claim) |
+| `audience` | No | Expected token audience (`aud` claim). Defaults to `resource` |
+| `requiredScopes` | No | Scopes every token must include |
+| `jwksUri` | No | JWKS endpoint for asymmetric JWT validation |
+| `publicKey` | No | Inline public key for asymmetric JWT validation |
+| `publicKeyEnvVar` | No | Environment variable containing the public key |
+| `sharedSecret` | No | Inline shared secret for symmetric JWT validation |
+| `sharedSecretEnvVar` | No | Environment variable containing the shared secret |
+
+:::note Existing website authentication
+The `auth.enabled` and `eventcatalog.auth.js` settings protect the EventCatalog website with browser sessions. MCP authorization is separate because MCP clients authenticate with Bearer tokens, not browser cookies.
+:::
+
+:::tip Authorization server discovery
+EventCatalog serves `/.well-known/oauth-protected-resource` for MCP client discovery. It does not serve `/.well-known/oauth-authorization-server`, `/authorize`, or `/oauth/token` -- those endpoints must be provided by the authorization server listed in `authorizationServers`. If your MCP client expects those endpoints on the catalog host, proxy the authorization server behind that host with your load balancer or reverse proxy.
+:::
+
 ### Connect clients
 
 <details>

package/dist/eventcatalog.cjs

@@ -114,7 +114,7 @@ var verifyRequiredFieldsAreInCatalogConfigFile = async (projectDirectory) => {
 var import_picocolors = __toESM(require("picocolors"), 1);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/eventcatalog.config.d.cts

@@ -47,6 +47,47 @@ type PagesConfiguration = {
 type AuthConfig = {
     enabled: boolean;
 };
+type McpAuthConfig = {
+    /**
+     * Require OAuth Bearer tokens for the built-in MCP server.
+     * EventCatalog acts as the MCP protected resource server; the
+     * configured authorization server remains responsible for login,
+     * consent, token issuance, and client registration.
+     */
+    enabled?: boolean;
+    /**
+     * Absolute URL for the MCP resource. Defaults to the request origin
+     * plus `/docs/mcp`, but production deployments behind proxies should
+     * set this explicitly.
+     */
+    resource?: string;
+    /**
+     * Optional absolute URL for the OAuth Protected Resource Metadata
+     * document. Defaults to `/.well-known/oauth-protected-resource`.
+     */
+    protectedResourceMetadataUrl?: string;
+    /** Authorization server issuer/base URLs advertised to MCP clients. */
+    authorizationServers?: string[];
+    /** Expected token issuer (`iss`). */
+    issuer?: string;
+    /** Expected token audience (`aud`). Defaults to `resource`. */
+    audience?: string | string[];
+    /** Scopes required to call the MCP server. */
+    requiredScopes?: string[];
+    /** JWKS endpoint used to validate asymmetric JWT access tokens. */
+    jwksUri?: string;
+    /** Inline public key for asymmetric JWT validation. */
+    publicKey?: string;
+    /** Environment variable containing the public key. */
+    publicKeyEnvVar?: string;
+    /** Inline shared secret for symmetric JWT validation. Prefer `sharedSecretEnvVar`. */
+    sharedSecret?: string;
+    /** Environment variable containing the shared secret. */
+    sharedSecretEnvVar?: string;
+};
+type McpConfig = {
+    auth?: McpAuthConfig;
+};
 type GA4Config = {
     measurementId: string;
 };
@@ -90,6 +131,7 @@ interface Config {
      */
     theme?: CatalogTheme;
     auth?: AuthConfig;
+    mcp?: McpConfig;
     rss?: {
         enabled: boolean;
         limit: number;

package/dist/eventcatalog.config.d.ts

@@ -47,6 +47,47 @@ type PagesConfiguration = {
 type AuthConfig = {
     enabled: boolean;
 };
+type McpAuthConfig = {
+    /**
+     * Require OAuth Bearer tokens for the built-in MCP server.
+     * EventCatalog acts as the MCP protected resource server; the
+     * configured authorization server remains responsible for login,
+     * consent, token issuance, and client registration.
+     */
+    enabled?: boolean;
+    /**
+     * Absolute URL for the MCP resource. Defaults to the request origin
+     * plus `/docs/mcp`, but production deployments behind proxies should
+     * set this explicitly.
+     */
+    resource?: string;
+    /**
+     * Optional absolute URL for the OAuth Protected Resource Metadata
+     * document. Defaults to `/.well-known/oauth-protected-resource`.
+     */
+    protectedResourceMetadataUrl?: string;
+    /** Authorization server issuer/base URLs advertised to MCP clients. */
+    authorizationServers?: string[];
+    /** Expected token issuer (`iss`). */
+    issuer?: string;
+    /** Expected token audience (`aud`). Defaults to `resource`. */
+    audience?: string | string[];
+    /** Scopes required to call the MCP server. */
+    requiredScopes?: string[];
+    /** JWKS endpoint used to validate asymmetric JWT access tokens. */
+    jwksUri?: string;
+    /** Inline public key for asymmetric JWT validation. */
+    publicKey?: string;
+    /** Environment variable containing the public key. */
+    publicKeyEnvVar?: string;
+    /** Inline shared secret for symmetric JWT validation. Prefer `sharedSecretEnvVar`. */
+    sharedSecret?: string;
+    /** Environment variable containing the shared secret. */
+    sharedSecretEnvVar?: string;
+};
+type McpConfig = {
+    auth?: McpAuthConfig;
+};
 type GA4Config = {
     measurementId: string;
 };
@@ -90,6 +131,7 @@ interface Config {
      */
     theme?: CatalogTheme;
     auth?: AuthConfig;
+    mcp?: McpConfig;
     rss?: {
         enabled: boolean;
         limit: number;

package/dist/eventcatalog.js

@@ -13,8 +13,8 @@ import {
 } from "./chunk-K3ZVEX2Y.js";
 import {
   log_build_default
-} from "./chunk-MQAZ4LXP.js";
-import "./chunk-ORVOST63.js";
+} from "./chunk-72BKUYSR.js";
+import "./chunk-WFNAWDCB.js";
 import "./chunk-4UVFXLPI.js";
 import {
   catalogToAstro
@@ -28,13 +28,13 @@ import {
 } from "./chunk-ULZYHF3V.js";
 import {
   generate
-} from "./chunk-LEUIMTEQ.js";
+} from "./chunk-K762FILQ.js";
 import {
   logger
-} from "./chunk-4OSFLWLG.js";
+} from "./chunk-J5CG7FRO.js";
 import {
   VERSION
-} from "./chunk-IKZ5ITXP.js";
+} from "./chunk-UPI6QQEZ.js";
 import {
   getEventCatalogConfigFile,
   verifyRequiredFieldsAreInCatalogConfigFile

package/dist/generate.cjs

@@ -78,7 +78,7 @@ var getEventCatalogConfigFile = async (projectDirectory) => {
 var import_picocolors = __toESM(require("picocolors"), 1);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/generate.js

@@ -1,8 +1,8 @@
 import {
   generate
-} from "./chunk-LEUIMTEQ.js";
-import "./chunk-4OSFLWLG.js";
-import "./chunk-IKZ5ITXP.js";
+} from "./chunk-K762FILQ.js";
+import "./chunk-J5CG7FRO.js";
+import "./chunk-UPI6QQEZ.js";
 import "./chunk-5T63CXKU.js";
 export {
   generate

package/dist/utils/cli-logger.cjs

@@ -36,7 +36,7 @@ module.exports = __toCommonJS(cli_logger_exports);
 var import_picocolors = __toESM(require("picocolors"), 1);
 
 // package.json
-var version = "3.39.6";
+var version = "3.40.0";
 
 // src/constants.ts
 var VERSION = version;

package/dist/utils/cli-logger.js

@@ -1,7 +1,7 @@
 import {
   logger
-} from "../chunk-4OSFLWLG.js";
-import "../chunk-IKZ5ITXP.js";
+} from "../chunk-J5CG7FRO.js";
+import "../chunk-UPI6QQEZ.js";
 export {
   logger
 };

package/eventcatalog/src/enterprise/auth/middleware/middleware-auth.ts

@@ -6,7 +6,7 @@
 // src/middleware/auth.ts
 import type { MiddlewareHandler } from 'astro';
 import { getSession } from 'auth-astro/server';
-import { isAuthEnabled } from '@utils/feature';
+import { isAuthEnabled, isEventCatalogMCPAuthEnabled } from '@utils/feature';
 import jwt from 'jsonwebtoken';
 import { isLLMSTxtEnabled } from '@utils/feature';
 
@@ -97,6 +97,10 @@ export function getPublicRoutes(isLLMSTextEnabled: boolean) {
   ];
 }
 
+export function isMcpRoute(pathname: string) {
+  return pathname === '/docs/mcp' || pathname.startsWith('/docs/mcp/');
+}
+
 export const authMiddleware: MiddlewareHandler = async (context, next) => {
   const { request, redirect, locals } = context;
   const url = new URL(request.url);
@@ -118,6 +122,7 @@ export const authMiddleware: MiddlewareHandler = async (context, next) => {
 
   if (
     pathname.startsWith('/_') ||
+    (isEventCatalogMCPAuthEnabled() && isMcpRoute(pathname)) ||
     systemRoutes.some((route) => pathname.startsWith(route)) ||
     pathname.startsWith('/.well-known/') ||
     publicRoutes.some((route) => pathname.startsWith(route)) ||

package/eventcatalog/src/enterprise/feature.ts

@@ -66,6 +66,8 @@ export const isDiagramComparisonEnabled = () => isEventCatalogScaleEnabled();
 
 export const isEventCatalogMCPEnabled = () => isEventCatalogScaleEnabled() && isSSR();
 
+export const isEventCatalogMCPAuthEnabled = () => isEventCatalogMCPEnabled() && (config?.mcp?.auth?.enabled ?? false);
+
 export const isIntegrationsEnabled = () => isEventCatalogScaleEnabled();
 
 export const isExportPDFEnabled = () => true;

package/eventcatalog/src/enterprise/integrations/eventcatalog-features.ts

@@ -12,6 +12,7 @@ import {
   isEventCatalogScaleEnabled,
   isEventCatalogStarterEnabled,
   isEventCatalogMCPEnabled,
+  isEventCatalogMCPAuthEnabled,
   isFullCatalogAPIEnabled,
   isDevMode,
   isIntegrationsEnabled,
@@ -72,6 +73,17 @@ export default function eventCatalogIntegration(): AstroIntegration {
           });
         }
 
+        if (isEventCatalogMCPAuthEnabled()) {
+          params.injectRoute({
+            pattern: '/.well-known/oauth-protected-resource',
+            entrypoint: path.join(catalogDirectory, 'src/enterprise/mcp/oauth-protected-resource.ts'),
+          });
+          params.injectRoute({
+            pattern: '/.well-known/oauth-protected-resource/[...path]',
+            entrypoint: path.join(catalogDirectory, 'src/enterprise/mcp/oauth-protected-resource.ts'),
+          });
+        }
+
         // Handle routes for authentication
         if (isAuthEnabled()) {
           configureAuthentication(params);

package/eventcatalog/src/enterprise/mcp/mcp-auth.ts

@@ -0,0 +1,266 @@
+/**
+ * Licensed under the EventCatalog Commercial License.
+ * See /packages/core/eventcatalog/src/enterprise/LICENSE
+ */
+
+import jwt, { type Algorithm, type JwtPayload } from 'jsonwebtoken';
+import { createPublicKey, type JsonWebKey, type KeyObject } from 'node:crypto';
+import config from '../../../eventcatalog.config.js';
+import type { Config } from '../../../../src/eventcatalog.config';
+
+type ConfiguredMcpAuth = NonNullable<NonNullable<Config['mcp']>['auth']>;
+
+export type McpAuthConfig = ConfiguredMcpAuth;
+
+type TokenClaims = JwtPayload & {
+  scope?: string;
+  scp?: string[];
+};
+
+type JwksKey = JsonWebKey & {
+  kid?: string;
+};
+
+type AuthFailure = {
+  ok: false;
+  status: 401 | 403;
+  error: string;
+  description: string;
+  requiredScopes: string[];
+  metadataUrl: string;
+};
+
+export type McpAuthResult =
+  | {
+      ok: true;
+      claims?: TokenClaims;
+    }
+  | AuthFailure;
+
+const jwksCache = new Map<string, { expiresAt: number; keys: JwksKey[] }>();
+
+const quote = (value: string) => `"${value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`;
+
+export const getMcpAuthConfig = (): McpAuthConfig | undefined => config?.mcp?.auth;
+
+export const isMcpAuthEnabled = (
+  authConfig: McpAuthConfig | undefined = getMcpAuthConfig()
+): authConfig is McpAuthConfig & { enabled: true } => authConfig?.enabled === true;
+
+export function getMcpResourceUrl(request: Request, authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  if (authConfig?.resource) return authConfig.resource;
+  return new URL('/docs/mcp', request.url).href;
+}
+
+export function getMcpProtectedResourceMetadataUrl(request: Request, authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  if (authConfig?.protectedResourceMetadataUrl) return authConfig.protectedResourceMetadataUrl;
+  return new URL('/.well-known/oauth-protected-resource', request.url).href;
+}
+
+export function getMcpRequiredScopes(authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  return authConfig?.requiredScopes ?? [];
+}
+
+export function getMcpProtectedResourceMetadata(request: Request, authConfig: McpAuthConfig | undefined = getMcpAuthConfig()) {
+  if (!isMcpAuthEnabled(authConfig)) return undefined;
+
+  return {
+    resource: getMcpResourceUrl(request, authConfig),
+    authorization_servers: authConfig?.authorizationServers ?? [],
+    scopes_supported: getMcpRequiredScopes(authConfig),
+  };
+}
+
+export function createWwwAuthenticateHeader(failure: AuthFailure) {
+  const params = [
+    `realm=${quote('mcp')}`,
+    `resource_metadata=${quote(failure.metadataUrl)}`,
+    failure.requiredScopes.length > 0 ? `scope=${quote(failure.requiredScopes.join(' '))}` : undefined,
+    failure.error ? `error=${quote(failure.error)}` : undefined,
+    failure.description ? `error_description=${quote(failure.description)}` : undefined,
+  ].filter(Boolean);
+
+  return `Bearer ${params.join(', ')}`;
+}
+
+export function createMcpAuthErrorResponse(failure: AuthFailure) {
+  return new Response(JSON.stringify({ error: failure.error, message: failure.description }), {
+    status: failure.status,
+    headers: {
+      'Content-Type': 'application/json',
+      'WWW-Authenticate': createWwwAuthenticateHeader(failure),
+    },
+  });
+}
+
+export async function validateMcpRequest(
+  request: Request,
+  authConfig: McpAuthConfig | undefined = getMcpAuthConfig()
+): Promise<McpAuthResult> {
+  if (!isMcpAuthEnabled(authConfig)) return { ok: true };
+
+  const metadataUrl = getMcpProtectedResourceMetadataUrl(request, authConfig);
+  const requiredScopes = getMcpRequiredScopes(authConfig);
+  const authHeader = request.headers.get('Authorization');
+  const bearerMatch = authHeader?.match(/^Bearer\s+(.*)$/i);
+
+  if (!bearerMatch) {
+    return {
+      ok: false,
+      status: 401,
+      error: 'invalid_token',
+      description: 'Missing Bearer access token',
+      requiredScopes,
+      metadataUrl,
+    };
+  }
+
+  const token = bearerMatch[1].trim();
+
+  if (!token) {
+    return {
+      ok: false,
+      status: 401,
+      error: 'invalid_token',
+      description: 'Missing Bearer access token',
+      requiredScopes,
+      metadataUrl,
+    };
+  }
+
+  try {
+    const claims = await verifyAccessToken(token, request, authConfig);
+    const missingScopes = getMissingScopes(claims, requiredScopes);
+
+    if (missingScopes.length > 0) {
+      return {
+        ok: false,
+        status: 403,
+        error: 'insufficient_scope',
+        description: `Missing required scope${missingScopes.length > 1 ? 's' : ''}: ${missingScopes.join(' ')}`,
+        requiredScopes,
+        metadataUrl,
+      };
+    }
+
+    return { ok: true, claims };
+  } catch {
+    return {
+      ok: false,
+      status: 401,
+      error: 'invalid_token',
+      description: 'Invalid or expired Bearer access token',
+      requiredScopes,
+      metadataUrl,
+    };
+  }
+}
+
+async function verifyAccessToken(token: string, request: Request, authConfig: McpAuthConfig): Promise<TokenClaims> {
+  const decoded = jwt.decode(token, { complete: true });
+  const algorithm = decoded && typeof decoded === 'object' ? (decoded.header.alg as Algorithm | undefined) : undefined;
+
+  if (!algorithm || algorithm === 'none') {
+    throw new Error('Unsupported JWT algorithm');
+  }
+
+  const key = await getVerificationKey(token, authConfig);
+  const audience = getJwtAudience(authConfig.audience ?? getMcpResourceUrl(request, authConfig));
+
+  const payload = jwt.verify(token, key, {
+    audience,
+    issuer: authConfig.issuer,
+    algorithms: [algorithm],
+    clockTolerance: 5,
+  });
+
+  if (!payload || typeof payload === 'string') {
+    throw new Error('Invalid JWT payload');
+  }
+
+  return payload as TokenClaims;
+}
+
+async function getVerificationKey(token: string, authConfig: McpAuthConfig): Promise<string | Buffer | KeyObject> {
+  const sharedSecret = getConfiguredValue(authConfig.sharedSecret, authConfig.sharedSecretEnvVar);
+  if (sharedSecret) return sharedSecret;
+
+  const publicKey = getConfiguredValue(authConfig.publicKey, authConfig.publicKeyEnvVar);
+  if (publicKey) return publicKey;
+
+  if (authConfig.jwksUri) {
+    return getJwksVerificationKey(token, authConfig.jwksUri);
+  }
+
+  throw new Error('MCP auth requires jwksUri, publicKey, publicKeyEnvVar, sharedSecret, or sharedSecretEnvVar');
+}
+
+function getConfiguredValue(value: string | undefined, envVar: string | undefined) {
+  if (value) return value;
+  if (envVar) return process.env[envVar];
+  return undefined;
+}
+
+async function getJwksVerificationKey(token: string, jwksUri: string) {
+  const decoded = jwt.decode(token, { complete: true });
+  const kid = decoded && typeof decoded === 'object' ? decoded.header.kid : undefined;
+  const keys = await getJwksKeys(jwksUri);
+  const jwk = keys.find((key) => (kid ? key.kid === kid : keys.length === 1));
+
+  if (!jwk) {
+    throw new Error('No matching JWKS key found for token');
+  }
+
+  return createPublicKey({ key: jwk, format: 'jwk' });
+}
+
+function getJwtAudience(audience: string | string[]) {
+  if (Array.isArray(audience)) {
+    if (audience.length === 0) return undefined;
+    return audience as [string, ...string[]];
+  }
+
+  return audience;
+}
+
+async function getJwksKeys(jwksUri: string): Promise<JwksKey[]> {
+  const cached = jwksCache.get(jwksUri);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.keys;
+  }
+
+  const response = await fetch(jwksUri, {
+    headers: {
+      Accept: 'application/json',
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch JWKS: ${response.status}`);
+  }
+
+  const body = (await response.json()) as { keys?: JwksKey[] };
+  const keys = body.keys ?? [];
+  jwksCache.set(jwksUri, { keys, expiresAt: Date.now() + 5 * 60 * 1000 });
+  return keys;
+}
+
+function getMissingScopes(claims: TokenClaims, requiredScopes: string[]) {
+  if (requiredScopes.length === 0) return [];
+
+  const scopes = new Set<string>();
+
+  if (typeof claims.scope === 'string') {
+    for (const scope of claims.scope.split(/\s+/)) {
+      if (scope) scopes.add(scope);
+    }
+  }
+
+  if (Array.isArray(claims.scp)) {
+    for (const scope of claims.scp) {
+      scopes.add(scope);
+    }
+  }
+
+  return requiredScopes.filter((scope) => !scopes.has(scope));
+}

package/eventcatalog/src/enterprise/mcp/mcp-server.ts

@@ -32,6 +32,7 @@ import {
   toolDescriptions,
 } from '@enterprise/tools/catalog-tools';
 import { getCollection } from 'astro:content';
+import { createMcpAuthErrorResponse, validateMcpRequest } from './mcp-auth';
 
 const catalogDirectory = process.env.PROJECT_DIR || process.cwd();
 
@@ -462,6 +463,12 @@ const mcpResources = [
 
 // Health check endpoint
 app.get('/', async (c: Context) => {
+  const auth = await validateMcpRequest(c.req.raw);
+
+  if (!auth.ok) {
+    return createMcpAuthErrorResponse(auth);
+  }
+
   return c.json({
     name: 'EventCatalog MCP Server',
     version: '1.0.0',
@@ -475,6 +482,12 @@ app.get('/', async (c: Context) => {
 // MCP protocol endpoint - handles POST requests for MCP protocol
 app.post('/', async (c: Context) => {
   try {
+    const auth = await validateMcpRequest(c.req.raw);
+
+    if (!auth.ok) {
+      return createMcpAuthErrorResponse(auth);
+    }
+
     // Create fresh server and transport per request — the MCP SDK's
     // WebStandardStreamableHTTPServerTransport is single-use in stateless
     // mode: it sets _hasHandledRequest=true after the first call and throws

package/eventcatalog/src/enterprise/mcp/oauth-protected-resource.ts

@@ -0,0 +1,25 @@
+/**
+ * Licensed under the EventCatalog Commercial License.
+ * See /packages/core/eventcatalog/src/enterprise/LICENSE
+ */
+
+import type { APIRoute } from 'astro';
+import { getMcpProtectedResourceMetadata } from './mcp-auth';
+
+export const GET: APIRoute = async ({ request }) => {
+  const metadata = getMcpProtectedResourceMetadata(request);
+
+  if (!metadata) {
+    return new Response(JSON.stringify({ error: 'mcp_auth_not_configured' }), {
+      status: 404,
+      headers: { 'Content-Type': 'application/json' },
+    });
+  }
+
+  return new Response(JSON.stringify(metadata, null, 2), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' },
+  });
+};
+
+export const prerender = false;

package/eventcatalog/src/utils/feature.ts

@@ -29,6 +29,7 @@ export {
   isCustomStylesEnabled,
   isDiagramComparisonEnabled,
   isEventCatalogMCPEnabled,
+  isEventCatalogMCPAuthEnabled,
   isIntegrationsEnabled,
   isExportPDFEnabled,
 } from '../enterprise/feature';

package/package.json

@@ -7,7 +7,7 @@
   },
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
-  "version": "3.39.6",
+  "version": "3.40.0",
   "publishConfig": {
     "access": "public"
   },
@@ -106,8 +106,8 @@
     "update-notifier": "^7.3.1",
     "uuid": "^10.0.0",
     "zod": "^4.3.6",
-    "@eventcatalog/sdk": "2.21.2",
     "@eventcatalog/linter": "1.0.24",
+    "@eventcatalog/sdk": "2.21.2",
     "@eventcatalog/visualiser": "^3.21.0"
   },
   "devDependencies": {