@smithery/sdk 1.6.2 → 1.6.4

package/dist/index.d.ts

@@ -2,3 +2,5 @@ export * from "./shared/config.js";
 export * from "./shared/patch.js";
 export { createStatefulServer, type StatefulServerOptions, } from "./server/stateful.js";
 export * from "./server/session.js";
+export * from "./server/auth/identity.js";
+export * from "./server/auth/oauth.js";

package/dist/index.js

@@ -7,3 +7,5 @@ export * from "./shared/patch.js";
 // Server-side helpers (selective to avoid duplicate type names)
 export { createStatefulServer, } from "./server/stateful.js";
 export * from "./server/session.js";
+export * from "./server/auth/identity.js";
+export * from "./server/auth/oauth.js";

package/dist/server/auth/identity.d.ts

@@ -0,0 +1,18 @@
+import type { Application, Request, Router } from "express";
+import { type JWTPayload } from "jose";
+import type { OAuthTokens } from "@modelcontextprotocol/sdk/shared/auth.js";
+export type IdentityJwtClaims = JWTPayload & Record<string, unknown>;
+export interface IdentityHandler {
+    /** Base path to mount metadata and token endpoints. Default: "/" */
+    basePath?: string;
+    /** Expected JWT issuer. Default: "https://server.smithery.ai" */
+    issuer?: string;
+    /** JWKS URL for issuer. Default: "https://server.smithery.ai/.well-known/jwks.json" */
+    jwksUrl?: string;
+    /** Optional explicit token path. Overrides basePath+"token". */
+    tokenPath?: string;
+    /** Handle a JWT grant provided by an external identity provider (i.e., Smithery) and mint access tokens */
+    handleJwtGrant: (claims: IdentityJwtClaims, req: Request) => Promise<OAuthTokens | null>;
+}
+export declare function createIdentityTokenRouter(options: IdentityHandler): Router;
+export declare function mountIdentity(app: Application, options: IdentityHandler): void;

package/dist/server/auth/identity.js

@@ -0,0 +1,55 @@
+import express from "express";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+function normalizeBasePath(basePath) {
+    const value = basePath ?? "/";
+    return value.endsWith("/") ? value : `${value}/`;
+}
+export function createIdentityTokenRouter(options) {
+    const basePath = normalizeBasePath(options.basePath);
+    const issuer = options.issuer ?? "https://server.smithery.ai";
+    const jwksUrl = new URL(options.jwksUrl ?? "https://server.smithery.ai/.well-known/jwks.json");
+    const tokenPath = typeof options.tokenPath === "string" && options.tokenPath.length > 0
+        ? options.tokenPath
+        : `${basePath}token`;
+    // Create JWKS resolver once; jose caches keys internally
+    const JWKS = createRemoteJWKSet(jwksUrl);
+    const tokenRouter = express.Router();
+    // urlencoded parser required for OAuth token requests
+    tokenRouter.use(express.urlencoded({ extended: false }));
+    tokenRouter.post(tokenPath, async (req, res, next) => {
+        try {
+            const grantType = typeof req.body?.grant_type === "string"
+                ? req.body.grant_type
+                : undefined;
+            if (grantType !== "urn:ietf:params:oauth:grant-type:jwt-bearer")
+                return next();
+            const assertion = typeof req.body?.assertion === "string" ? req.body.assertion : undefined;
+            if (!assertion) {
+                res.status(400).json({
+                    error: "invalid_request",
+                    error_description: "Missing assertion",
+                });
+                return;
+            }
+            const host = req.get("host") ?? "localhost";
+            const audience = `${req.protocol}://${host}${tokenPath}`;
+            const { payload } = await jwtVerify(assertion, JWKS, {
+                issuer,
+                audience,
+                algorithms: ["RS256"],
+            });
+            const result = await options.handleJwtGrant(payload, req);
+            if (!result)
+                return next();
+            res.json(result);
+        }
+        catch (error) {
+            console.error(error);
+            res.status(400).json({ error: "invalid_grant" });
+        }
+    });
+    return tokenRouter;
+}
+export function mountIdentity(app, options) {
+    app.use(createIdentityTokenRouter(options));
+}

package/dist/server/auth/oauth.d.ts

@@ -0,0 +1,13 @@
+import type { OAuthServerProvider, OAuthTokenVerifier } from "@modelcontextprotocol/sdk/server/auth/provider.js";
+import type { Application, Response } from "express";
+import { type IdentityHandler } from "./identity.js";
+export interface CallbackOAuthServerProvider extends OAuthServerProvider {
+    basePath?: string;
+    callbackPath?: string;
+    handleOAuthCallback?: (code: string, state: string | undefined, res: Response) => Promise<URL>;
+}
+export interface OAuthMountOptions {
+    provider?: CallbackOAuthServerProvider | OAuthTokenVerifier;
+    identity?: IdentityHandler;
+}
+export declare function mountOAuth(app: Application, opts: OAuthMountOptions): void;

package/dist/server/auth/oauth.js

@@ -0,0 +1,153 @@
+import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
+import { mcpAuthMetadataRouter, createOAuthMetadata, } from "@modelcontextprotocol/sdk/server/auth/router.js";
+import { authorizationHandler } from "@modelcontextprotocol/sdk/server/auth/handlers/authorize.js";
+import { tokenHandler } from "@modelcontextprotocol/sdk/server/auth/handlers/token.js";
+import { clientRegistrationHandler } from "@modelcontextprotocol/sdk/server/auth/handlers/register.js";
+import { revocationHandler } from "@modelcontextprotocol/sdk/server/auth/handlers/revoke.js";
+import { metadataHandler } from "@modelcontextprotocol/sdk/server/auth/handlers/metadata.js";
+import { mountIdentity } from "./identity.js";
+function isOAuthProvider(provider) {
+    return !!provider && "authorize" in provider;
+}
+export function mountOAuth(app, opts) {
+    // Determine base path once based on OAuth provider or identity
+    const provider = opts.provider;
+    const hasOAuth = isOAuthProvider(provider);
+    const rawBasePath = hasOAuth
+        ? (provider.basePath ?? "/")
+        : (opts.identity?.basePath ?? "/");
+    const basePath = rawBasePath.endsWith("/") ? rawBasePath : `${rawBasePath}/`;
+    // Precompute endpoint pathnames from metadata
+    let authorizationPath;
+    let tokenPath;
+    let registrationPath;
+    let revocationPath;
+    if (isOAuthProvider(provider)) {
+        const placeholderIssuer = new URL("https://localhost");
+        const placeholderBaseUrl = new URL(basePath, placeholderIssuer);
+        const localMetadata = createOAuthMetadata({
+            provider,
+            issuerUrl: placeholderIssuer,
+            baseUrl: placeholderBaseUrl,
+        });
+        authorizationPath = new URL(localMetadata.authorization_endpoint).pathname;
+        tokenPath = new URL(localMetadata.token_endpoint).pathname;
+        if (localMetadata.registration_endpoint) {
+            registrationPath = new URL(localMetadata.registration_endpoint).pathname;
+        }
+        if (localMetadata.revocation_endpoint) {
+            revocationPath = new URL(localMetadata.revocation_endpoint).pathname;
+        }
+    }
+    // Metadata endpoints
+    if (isOAuthProvider(provider)) {
+        // Mount a per-request adapter so issuer/baseUrl reflect Host/Proto
+        app.use((req, res, next) => {
+            if (!req.path.startsWith("/.well-known/"))
+                return next();
+            const host = req.get("host") ?? "localhost";
+            if (req.protocol !== "https") {
+                console.warn("Detected http but using https for issuer URL in OAuth metadata since it will fail otherwise.");
+            }
+            const issuerUrl = new URL(`https://${host}`);
+            const baseUrl = new URL(basePath, issuerUrl);
+            const oauthMetadata = createOAuthMetadata({
+                provider,
+                issuerUrl,
+                baseUrl,
+            });
+            if (opts.identity) {
+                oauthMetadata.grant_types_supported = Array.from(new Set([
+                    ...(oauthMetadata.grant_types_supported ?? []),
+                    "urn:ietf:params:oauth:grant-type:jwt-bearer",
+                ]));
+            }
+            const resourceServerUrl = new URL("/mcp", issuerUrl);
+            const metadataRouter = mcpAuthMetadataRouter({
+                oauthMetadata,
+                resourceServerUrl,
+            });
+            return metadataRouter(req, res, next);
+        });
+    }
+    else if (opts.identity) {
+        // Identity-only: explicitly mount protected resource metadata endpoint
+        app.use("/.well-known/oauth-protected-resource", (req, res, next) => {
+            const host = req.get("host") ?? "localhost";
+            const issuerUrl = new URL(`${req.protocol}://${host}`);
+            const protectedResourceMetadata = {
+                resource: new URL("/mcp", issuerUrl).href,
+                authorization_servers: [issuerUrl.href],
+            };
+            return metadataHandler(protectedResourceMetadata)(req, res, next);
+        });
+        // Identity-only: also advertise minimal AS metadata for discovery per RFC 8414
+        app.use("/.well-known/oauth-authorization-server", (req, res, next) => {
+            const host = req.get("host") ?? "localhost";
+            const issuerUrl = new URL(`${req.protocol}://${host}`);
+            const oauthMetadata = {
+                issuer: issuerUrl.href,
+                token_endpoint: new URL(`${basePath}token`, issuerUrl).href,
+                grant_types_supported: ["urn:ietf:params:oauth:grant-type:jwt-bearer"],
+            };
+            return metadataHandler(oauthMetadata)(req, res, next);
+        });
+    }
+    // Mount identity (JWT bearer grant) first so OAuth token can fall through
+    if (opts.identity) {
+        const identityOptions = {
+            ...opts.identity,
+            basePath,
+            tokenPath: tokenPath ?? `${basePath}token`,
+        };
+        mountIdentity(app, identityOptions);
+    }
+    // Mount OAuth endpoints functionally if an OAuth provider is present
+    if (isOAuthProvider(provider)) {
+        // Authorization endpoint
+        const authPath = authorizationPath ?? `${basePath}authorize`;
+        app.use(authPath, authorizationHandler({ provider }));
+        // Token endpoint (OAuth); identity's token handler will handle JWT grant and call next() otherwise
+        const tokPath = tokenPath ?? `${basePath}token`;
+        app.use(tokPath, tokenHandler({ provider }));
+        // Dynamic client registration if supported
+        if (provider.clientsStore?.registerClient) {
+            const regPath = registrationPath ?? `${basePath}register`;
+            app.use(regPath, clientRegistrationHandler({ clientsStore: provider.clientsStore }));
+        }
+        // Token revocation if supported
+        if (provider.revokeToken) {
+            const revPath = revocationPath ?? `${basePath}revoke`;
+            app.use(revPath, revocationHandler({ provider }));
+        }
+        // Optional OAuth callback
+        const callbackHandler = provider.handleOAuthCallback?.bind(provider);
+        if (callbackHandler) {
+            const callbackPath = provider.callbackPath ?? "/callback";
+            app.get(callbackPath, async (req, res) => {
+                const code = typeof req.query.code === "string" ? req.query.code : undefined;
+                const state = typeof req.query.state === "string" ? req.query.state : undefined;
+                if (!code) {
+                    res.status(400).send("Invalid request parameters");
+                    return;
+                }
+                try {
+                    const redirectUrl = await callbackHandler(code, state, res);
+                    res.redirect(redirectUrl.toString());
+                }
+                catch (error) {
+                    console.error(error);
+                    res.status(500).send("Error during authentication callback");
+                }
+            });
+        }
+    }
+    // Protect MCP resource with bearer auth if a verifier/provider is present
+    if (provider) {
+        app.use("/mcp", (req, res, next) => {
+            return requireBearerAuth({
+                verifier: provider,
+            })(req, res, next);
+        });
+    }
+}

package/dist/server/index.d.ts

@@ -1,4 +1,5 @@
 export * from "./stateful.js";
 export * from "./stateless.js";
 export * from "./session.js";
-export * from "./oauth.js";
+export * from "./auth/oauth.js";
+export * from "./auth/identity.js";

package/dist/server/index.js

@@ -1,4 +1,5 @@
 export * from "./stateful.js";
 export * from "./stateless.js";
 export * from "./session.js";
-export * from "./oauth.js";
+export * from "./auth/oauth.js";
+export * from "./auth/identity.js";

package/dist/server/stateful.d.ts

@@ -4,7 +4,6 @@ import express from "express";
 import type { z } from "zod";
 import type { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { type SessionStore } from "./session.js";
-import type { CallbackOAuthServerProvider } from "./oauth.js";
 /**
  * Arguments when we create a new instance of your server
  */
@@ -30,10 +29,6 @@ export interface StatefulServerOptions<T = Record<string, unknown>> {
      * Express app instance to use (optional)
      */
     app?: express.Application;
-    /**
-     * OAuth provider instance. If provided, OAuth routes and bearer protection are auto-wired.
-     */
-    oauthProvider?: CallbackOAuthServerProvider;
 }
 /**
  * Creates a stateful server for handling MCP requests.

package/dist/server/stateful.js

@@ -5,7 +5,6 @@ import { randomUUID } from "node:crypto";
 import { parseAndValidateConfig } from "../shared/config.js";
 import { zodToJsonSchema } from "zod-to-json-schema";
 import { createLRUStore } from "./session.js";
-import { mountOAuth } from "./oauth.js";
 /**
  * Creates a stateful server for handling MCP requests.
  * For every new session, we invoke createMcpServer to create a new instance of the server.
@@ -15,11 +14,6 @@ import { mountOAuth } from "./oauth.js";
  */
 export function createStatefulServer(createMcpServer, options) {
     const app = options?.app ?? express();
-    // Auto-wire OAuth routes and bearer protection if configured
-    const oauthProvider = options?.oauthProvider;
-    if (oauthProvider) {
-        mountOAuth(app, oauthProvider);
-    }
     app.use("/mcp", express.json());
     const sessionStore = options?.sessionStore ?? createLRUStore();
     // Handle POST requests for client-to-server communication

package/dist/server/stateless.d.ts

@@ -2,7 +2,7 @@ import express from "express";
 import type { z } from "zod";
 import type { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import type { AuthInfo } from "@modelcontextprotocol/sdk/server/auth/types.js";
-import type { CallbackOAuthServerProvider } from "./oauth.js";
+import type { OAuthMountOptions } from "./auth/oauth.js";
 /**
  * Arguments when we create a stateless server instance
  */
@@ -23,10 +23,7 @@ export interface StatelessServerOptions<T = Record<string, unknown>> {
      * Express app instance to use (optional)
      */
     app?: express.Application;
-    /**
-     * OAuth provider instance. If provided, OAuth routes and bearer protection are auto-wired.
-     */
-    oauthProvider?: CallbackOAuthServerProvider;
+    oauth?: OAuthMountOptions;
 }
 /**
  * Creates a stateless server for handling MCP requests.

package/dist/server/stateless.js

@@ -2,7 +2,6 @@ import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/
 import express from "express";
 import { parseAndValidateConfig } from "../shared/config.js";
 import { zodToJsonSchema } from "zod-to-json-schema";
-import { mountOAuth } from "./oauth.js";
 /**
  * Creates a stateless server for handling MCP requests.
  * Each request creates a new server instance - no session state is maintained.
@@ -14,11 +13,6 @@ import { mountOAuth } from "./oauth.js";
  */
 export function createStatelessServer(createMcpServer, options) {
     const app = options?.app ?? express();
-    // Auto-wire OAuth routes and bearer protection if configured
-    const oauthProvider = options?.oauthProvider;
-    if (oauthProvider) {
-        mountOAuth(app, oauthProvider);
-    }
     app.use("/mcp", express.json());
     // Handle POST requests for client-to-server communication
     app.post("/mcp", async (req, res) => {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@smithery/sdk",
-	"version": "1.6.2",
+	"version": "1.6.4",
 	"description": "SDK to develop with Smithery",
 	"type": "module",
 	"main": "./dist/index.js",
@@ -18,10 +18,12 @@
 		"watch": "tsc --watch",
 		"check": "npx @biomejs/biome check --write --unsafe"
 	},
+	"packageManager": "npm@11.4.1",
 	"license": "MIT",
 	"dependencies": {
 		"@modelcontextprotocol/sdk": "^1.18.0",
 		"express": "^5.1.0",
+		"jose": "^6.1.0",
 		"json-schema": "^0.4.0",
 		"lodash": "^4.17.21",
 		"okay-error": "^1.0.3",

package/dist/server/oauth.d.ts

@@ -1,14 +0,0 @@
-import type express from "express";
-import type { OAuthServerProvider } from "@modelcontextprotocol/sdk/server/auth/provider.js";
-import type { Response } from "express";
-/**
- * OAuth server provider that supports a callback handler.
- * The callback handler is invoked to catch the OAuth callback from the OAuth provider.
- */
-export interface CallbackOAuthServerProvider extends OAuthServerProvider {
-    /** Provider-specific callback handler used by the SDK */
-    handleOAuthCallback?: (code: string, state: string | undefined, res: Response) => Promise<URL>;
-    basePath?: string;
-    callbackPath: string;
-}
-export declare function mountOAuth(app: express.Application, provider: CallbackOAuthServerProvider): void;

package/dist/server/oauth.js

@@ -1,36 +0,0 @@
-import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
-import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
-export function mountOAuth(app, provider) {
-    // Mount OAuth authorization and token routes with dynamic issuer URL and provider
-    app.use(provider.basePath ?? "/", (req, res, next) => {
-        const host = req.get("host") ?? "localhost";
-        // Issuer URL must be https
-        const issuerUrl = new URL(`https://${host}`);
-        const router = mcpAuthRouter({ provider, issuerUrl });
-        return router(req, res, next);
-    });
-    const callbackHandler = provider.handleOAuthCallback;
-    if (callbackHandler) {
-        // Callback handler
-        app.get(provider.callbackPath, async (req, res) => {
-            const code = typeof req.query.code === "string" ? req.query.code : undefined;
-            const state = typeof req.query.state === "string" ? req.query.state : undefined;
-            if (!code) {
-                res.status(400).send("Invalid request parameters");
-                return;
-            }
-            try {
-                const redirectUrl = await callbackHandler.bind(provider)(code, state, res);
-                res.redirect(redirectUrl.toString());
-            }
-            catch (error) {
-                console.error(error);
-                res.status(500).send("Error during authentication callback");
-            }
-        });
-    }
-    // Bearer protection for all /mcp routes (POST/GET/DELETE)
-    app.use("/mcp", (req, res, next) => {
-        return requireBearerAuth({ verifier: provider })(req, res, next);
-    });
-}