npm - @ttoss/http-server-mcp - Versions diffs - 0.16.0 → 0.16.2 - Mend

@ttoss/http-server-mcp 0.16.0 → 0.16.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md CHANGED Viewed

@@ -340,74 +340,9 @@ createMcpRouter(mcpServer, {
 Both fields are optional. Omitting `resourceMetadataUrl` keeps the bare `Bearer` header, and the `publicMethods` default matches what MCP clients expect for discovery.
-## OAuth 2.1 Authorization Server
+## Issuing tokens for MCP clients
-The `auth` option above covers the **resource-server** half of MCP authorization — it verifies tokens issued by an external authorization server (Cognito, Auth0, …). When you want your own first-party server to _issue_ the tokens, `createMcpAuthServer` provides the **authorization-server** half: the `/authorize`, `/token`, `/register`, and discovery endpoints an MCP client (Claude, Cursor, VS Code) auto-discovers and runs the full OAuth 2.1 flow against.
-ttoss owns only the protocol mechanics (PKCE, discovery metadata, code exchange, dynamic client registration). Your app keeps its own user model, token signing, and login/consent UI through pluggable hooks — the user model never leaves your app.
-```typescript
-import { App, bodyParser } from '@ttoss/http-server';
-import { createMcpAuthServer } from '@ttoss/http-server-mcp';
-const authServer = createMcpAuthServer({
-  issuer: 'https://api.example.com',
-  clientStore, // register/lookup dynamic clients
-  authCodeStore, // persist short-lived codes + PKCE challenge
-  // App-owned token minting — ttoss never sees your signing keys
-  issueTokens: async ({ subject, scopes }) => ({
-    accessToken: signJwt({ sub: subject, scope: scopes.join(' ') }),
-    refreshToken: createRefreshToken(subject),
-    expiresIn: 3600,
-  }),
-  // App-owned login/consent — show your own UI, then approve
-  onAuthorize: async ({ ctx, request }) => {
-    const session = await getSession(ctx);
-    if (!session) {
-      ctx.redirect(`/login?return_to=${encodeURIComponent(ctx.url)}`);
-      return { approved: false };
-    }
-    return { approved: true, subject: session.userId, scopes: request.scopes };
-  },
-  // App-owned refresh validation — required to enable the refresh_token grant
-  onRefreshToken: async ({ refreshToken }) => {
-    const claims = await verifyRefreshToken(refreshToken);
-    return claims ? { subject: claims.sub, scopes: claims.scopes } : undefined;
-  },
-  scopesSupported: ['mcp:access'],
-});
-const app = new App();
-app.use(bodyParser());
-app.use(authServer.routes());
-```
-This mounts:
-| Endpoint                                  | Spec      | Purpose                                              |
-| ----------------------------------------- | --------- | ---------------------------------------------------- |
-| `/.well-known/oauth-authorization-server` | RFC 8414  | Authorization server metadata discovery              |
-| `/.well-known/oauth-protected-resource`   | RFC 9728  | Protected-resource metadata (when `resource` is set) |
-| `/authorize`                              | OAuth 2.1 | Authorization endpoint — **PKCE (S256) required**    |
-| `/token`                                  | OAuth 2.1 | `authorization_code` + `refresh_token` grants        |
-| `/register`                               | RFC 7591  | Dynamic Client Registration                          |
-The full flow an MCP client runs: it fetches the discovery document, self-registers at `/register`, opens `/authorize` (your `onAuthorize` handles login/consent), exchanges the returned code at `/token` with its PKCE verifier, and uses the access token against your `createMcpRouter` endpoint. Pair this with `createMcpRouter({ auth: { verifyToken } })` so the same server both issues and verifies tokens.
-The pluggable stores let you keep persistence in your own datastore:
-```typescript
-const clientStore: ClientStore = {
-  get: (clientId) => db.clients.findById(clientId),
-  register: (client) => db.clients.put(client),
-};
-const authCodeStore: AuthCodeStore = {
-  save: (code) => db.codes.put(code), // set a TTL matching authorizationCodeTtl
-  get: (code) => db.codes.findById(code),
-  delete: (code) => db.codes.remove(code),
-};
-```
+The `auth` option above covers the **resource-server** half of MCP authorization — it verifies tokens issued by an external authorization server (Cognito, Auth0, …). To make your own first-party server _issue_ the tokens an MCP client runs the full OAuth flow against, add the [`@ttoss/http-server-auth`](https://ttoss.dev/docs/modules/packages/http-server-auth) plugin's `oauthServer()` and pair it with `createMcpRouter({ auth: { verifyToken } })` so one deployment both issues and verifies tokens. See the [OAuth Authorization Server](https://ttoss.dev/docs/engineering/guidelines/oauth-authorization-server) guideline.
 ## API Reference
@@ -433,25 +368,6 @@ Creates a Koa router configured to handle MCP protocol requests.
 **Returns:** `Router` — Koa router instance
-### `createMcpAuthServer(options)`
-Creates an OAuth 2.1 Authorization Server (`/authorize`, `/token`, `/register`, and discovery metadata) for MCP clients. See [OAuth 2.1 Authorization Server](#oauth-21-authorization-server).
-**Parameters (`McpAuthServerOptions`):**
-- `issuer` (`string`) — The authorization server's issuer identifier (its base URL); used to build absolute endpoint URLs in the discovery document
-- `clientStore` (`ClientStore`) — `{ get(clientId), register(client) }` for dynamic clients
-- `authCodeStore` (`AuthCodeStore`) — `{ save(code), get(code), delete(code) }` for short-lived authorization codes (codes are single-use)
-- `issueTokens` (`({ subject, scopes, client }) => IssuedTokens`) — App-owned token minting; returns `{ accessToken, refreshToken?, expiresIn?, scope? }`
-- `onAuthorize` (`({ ctx, client, request }) => OnAuthorizeResult`) — App-owned login/consent; return `{ approved: true, subject, scopes? }` to issue a code, or take over the response and return `{ approved: false }`
-- `onRefreshToken` (`({ refreshToken, client, scopes }) => { subject, scopes } | undefined`, optional) — App-owned refresh-token validation; required to enable the `refresh_token` grant
-- `scopesSupported` (`string[]`, optional) — Advertised in discovery metadata as `scopes_supported`
-- `resource` (`string`, optional) — When set, also serves `/.well-known/oauth-protected-resource`
-- `authorizationCodeTtl` (`number`, optional) — Authorization code lifetime in seconds (default: `600`)
-- `endpoints` (`{ authorize?, token?, register? }`, optional) — Override the default endpoint paths
-**Returns:** `Router` — Koa router instance exposing `routes()` / `allowedMethods()`
 ### `apiCall(method, url, options?)`
 Generic HTTP helper for use inside MCP tool handlers.

package/dist/index.cjs CHANGED Viewed

@@ -4,453 +4,29 @@ Object.defineProperty(exports, Symbol.toStringTag, {
 });
 let node_async_hooks = require("node:async_hooks");
 let _modelcontextprotocol_sdk_server_streamableHttp_js = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
+let _ttoss_auth_core_amazon_cognito = require("@ttoss/auth-core/amazon-cognito");
 let _ttoss_http_server = require("@ttoss/http-server");
+let _ttoss_http_server_auth = require("@ttoss/http-server-auth");
 let zod = require("zod");
-let _ttoss_auth_core_amazon_cognito = require("@ttoss/auth-core/amazon-cognito");
-let node_crypto = require("node:crypto");
 let _modelcontextprotocol_sdk_server_mcp_js = require("@modelcontextprotocol/sdk/server/mcp.js");
-//#region src/auth.ts
+//#region src/index.ts
 /** MCP lifecycle/discovery methods reachable before a client authenticates. */
 var DEFAULT_PUBLIC_METHODS = ["initialize", "tools/list"];
-/**
-* Builds the token verifier from the auth options, preferring an explicit
-* `verifyToken` and otherwise creating a `CognitoJwtVerifier`.
-*/
-var buildTokenVerifier = auth => {
+/** Builds the token verifier from the MCP auth options. */
+var buildVerifyToken = auth => {
   if (auth.cognitoUserPool) {
-    const v = _ttoss_auth_core_amazon_cognito.CognitoJwtVerifier.create({
+    const verifier = _ttoss_auth_core_amazon_cognito.CognitoJwtVerifier.create({
       tokenUse: "access",
       ...auth.cognitoUserPool
     });
-    return t => {
-      return v.verify(t);
+    return token => {
+      return verifier.verify(token);
     };
   }
   if (auth.verifyToken) return auth.verifyToken;
   throw new Error("McpAuthOptions requires either cognitoUserPool or verifyToken");
 };
-/** Returns true when the identity carries every required scope (or none are required). */
-var hasRequiredScopes = (requiredScopes, identity) => {
-  if (!requiredScopes?.length) return true;
-  const tokenScopes = (identity?.scope ?? "").split(" ");
-  return requiredScopes.every(s => {
-    return tokenScopes.includes(s);
-  });
-};
-/**
-* Registers the token-verification middleware (with public-method bypass and
-* RFC 9728 discovery) and, when configured, the OAuth protected-resource
-* metadata endpoint on the given router.
-*/
-var registerAuthRoutes = (router, path, auth, tokenVerifier) => {
-  const publicMethods = new Set(auth.publicMethods ?? DEFAULT_PUBLIC_METHODS);
-  const unauthorizedHeader = auth.resourceMetadataUrl ? `Bearer resource_metadata="${auth.resourceMetadataUrl}"` : "Bearer";
-  router.use(path, async (ctx, next) => {
-    const method = ctx.request.body?.method;
-    if (publicMethods.has(method ?? "")) {
-      await next();
-      return;
-    }
-    const authHeader = ctx.headers.authorization;
-    const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : "";
-    let identity;
-    try {
-      identity = await tokenVerifier(token);
-    } catch {
-      ctx.status = 401;
-      ctx.set("WWW-Authenticate", unauthorizedHeader);
-      ctx.body = "Unauthorized";
-      return;
-    }
-    if (!hasRequiredScopes(auth.requiredScopes, identity)) {
-      ctx.status = 403;
-      ctx.body = "Forbidden";
-      return;
-    }
-    ctx.state.identity = identity;
-    await next();
-  });
-  if (auth.resourceServerUrl && auth.authorizationServerUrl) router.get("/.well-known/oauth-protected-resource", ctx => {
-    ctx.body = {
-      resource: auth.resourceServerUrl,
-      authorization_servers: [auth.authorizationServerUrl]
-    };
-  });
-};
-//#endregion
-//#region src/authServerHandlers.ts
-var base64UrlEncode = buffer => {
-  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-};
-/** Generates a URL-safe random token of the given byte length. */
-var generateToken = (bytes = 32) => {
-  return base64UrlEncode((0, node_crypto.randomBytes)(bytes));
-};
-var sha256Base64Url = input => {
-  return base64UrlEncode((0, node_crypto.createHash)("sha256").update(input).digest());
-};
-/** Verifies a PKCE `code_verifier` against a stored S256 `code_challenge`. */
-var verifyPkce = (codeVerifier, codeChallenge) => {
-  return sha256Base64Url(codeVerifier) === codeChallenge;
-};
-/** Joins an issuer base URL with a path, collapsing any duplicate slash. */
-var joinUrl = (issuer, path) => {
-  return `${issuer.replace(/\/$/, "")}${path}`;
-};
-/** Returns the value if it is a string, otherwise `undefined`. */
-var asString = value => {
-  return typeof value === "string" ? value : void 0;
-};
-var parseScopes = scope => {
-  const value = asString(scope);
-  return value ? value.split(" ").filter(Boolean) : [];
-};
-/** Writes a spec-compliant OAuth error response (RFC 6749 §5.2). */
-var sendOAuthError = (ctx, status, error, description) => {
-  ctx.status = status;
-  ctx.body = {
-    error,
-    error_description: description
-  };
-};
-var buildTokenResponse = (tokens, scopes) => {
-  return {
-    access_token: tokens.accessToken,
-    token_type: "Bearer",
-    ...(tokens.expiresIn !== void 0 ? {
-      expires_in: tokens.expiresIn
-    } : {}),
-    ...(tokens.refreshToken !== void 0 ? {
-      refresh_token: tokens.refreshToken
-    } : {}),
-    scope: tokens.scope ?? scopes.join(" ")
-  };
-};
-/**
-* Authenticates the client at the token endpoint via `client_secret_basic`
-* (Authorization header), `client_secret_post` (body), or `none` (public,
-* PKCE-only). Returns the client, or `undefined` when authentication fails.
-*/
-var authenticateClient = async (ctx, body, clientStore) => {
-  let clientId = asString(body.client_id);
-  let clientSecret = asString(body.client_secret);
-  const authHeader = ctx.headers.authorization;
-  if (authHeader?.startsWith("Basic ")) {
-    const decoded = Buffer.from(authHeader.slice(6), "base64").toString();
-    const separatorIndex = decoded.indexOf(":");
-    if (separatorIndex !== -1) {
-      clientId = decodeURIComponent(decoded.slice(0, separatorIndex));
-      clientSecret = decodeURIComponent(decoded.slice(separatorIndex + 1));
-    }
-  }
-  if (!clientId) return;
-  const client = await clientStore.get(clientId);
-  if (!client) return;
-  if (client.client_secret && client.client_secret !== clientSecret) return;
-  return client;
-};
-/** Handles `grant_type=authorization_code` token requests (with PKCE verify). */
-var handleAuthorizationCodeGrant = async (ctx, body, options) => {
-  const {
-    clientStore,
-    authCodeStore,
-    issueTokens
-  } = options;
-  const client = await authenticateClient(ctx, body, clientStore);
-  if (!client) {
-    sendOAuthError(ctx, 401, "invalid_client", "client authentication failed");
-    return;
-  }
-  const code = asString(body.code);
-  if (!code) {
-    sendOAuthError(ctx, 400, "invalid_request", "code is required");
-    return;
-  }
-  const stored = await authCodeStore.get(code);
-  await authCodeStore.delete(code);
-  if (!stored) {
-    sendOAuthError(ctx, 400, "invalid_grant", "invalid or expired authorization code");
-    return;
-  }
-  if (stored.expiresAt < Date.now()) {
-    sendOAuthError(ctx, 400, "invalid_grant", "authorization code expired");
-    return;
-  }
-  if (stored.clientId !== client.client_id) {
-    sendOAuthError(ctx, 400, "invalid_grant", "authorization code was not issued to this client");
-    return;
-  }
-  if (stored.redirectUri !== asString(body.redirect_uri)) {
-    sendOAuthError(ctx, 400, "invalid_grant", "redirect_uri mismatch");
-    return;
-  }
-  const codeVerifier = asString(body.code_verifier);
-  if (!codeVerifier) {
-    sendOAuthError(ctx, 400, "invalid_request", "code_verifier is required");
-    return;
-  }
-  if (!verifyPkce(codeVerifier, stored.codeChallenge)) {
-    sendOAuthError(ctx, 400, "invalid_grant", "PKCE verification failed");
-    return;
-  }
-  ctx.body = buildTokenResponse(await issueTokens({
-    subject: stored.subject,
-    scopes: stored.scopes,
-    client
-  }), stored.scopes);
-};
-/** Handles `grant_type=refresh_token` token requests. */
-var handleRefreshTokenGrant = async (ctx, body, options) => {
-  const {
-    clientStore,
-    issueTokens,
-    onRefreshToken
-  } = options;
-  const client = await authenticateClient(ctx, body, clientStore);
-  if (!client) {
-    sendOAuthError(ctx, 401, "invalid_client", "client authentication failed");
-    return;
-  }
-  if (!onRefreshToken) {
-    sendOAuthError(ctx, 400, "unsupported_grant_type", "refresh_token grant is not supported");
-    return;
-  }
-  const refreshToken = asString(body.refresh_token);
-  if (!refreshToken) {
-    sendOAuthError(ctx, 400, "invalid_request", "refresh_token is required");
-    return;
-  }
-  const result = await onRefreshToken({
-    refreshToken,
-    client,
-    scopes: parseScopes(body.scope)
-  });
-  if (!result) {
-    sendOAuthError(ctx, 400, "invalid_grant", "invalid refresh token");
-    return;
-  }
-  ctx.body = buildTokenResponse(await issueTokens({
-    subject: result.subject,
-    scopes: result.scopes,
-    client
-  }), result.scopes);
-};
-/**
-* Handles the authorization request after `client_id` and `redirect_uri` have
-* been validated: enforces PKCE, runs the consent hook, and issues a code.
-*/
-var handleAuthorize = async (ctx, options, redirectUri) => {
-  const {
-    clientStore,
-    authCodeStore,
-    onAuthorize
-  } = options;
-  const ttl = options.authorizationCodeTtl ?? 600;
-  const clientId = asString(ctx.query.client_id);
-  const client = await clientStore.get(clientId);
-  const state = asString(ctx.query.state);
-  const redirectError = (error, description) => {
-    const url = new URL(redirectUri);
-    url.searchParams.set("error", error);
-    url.searchParams.set("error_description", description);
-    if (state) url.searchParams.set("state", state);
-    ctx.redirect(url.toString());
-  };
-  if (asString(ctx.query.response_type) !== "code") {
-    redirectError("unsupported_response_type", "response_type must be code");
-    return;
-  }
-  const codeChallenge = asString(ctx.query.code_challenge);
-  if (!codeChallenge) {
-    redirectError("invalid_request", "code_challenge is required (PKCE)");
-    return;
-  }
-  const codeChallengeMethod = asString(ctx.query.code_challenge_method) ?? "plain";
-  if (codeChallengeMethod !== "S256") {
-    redirectError("invalid_request", "code_challenge_method must be S256");
-    return;
-  }
-  const scopes = parseScopes(ctx.query.scope);
-  const result = await onAuthorize({
-    ctx,
-    client,
-    request: {
-      clientId,
-      redirectUri,
-      scopes,
-      state,
-      codeChallenge,
-      codeChallengeMethod
-    }
-  });
-  if (!result.approved) return;
-  const grantedScopes = result.scopes ?? scopes;
-  const code = generateToken();
-  await authCodeStore.save({
-    code,
-    clientId,
-    redirectUri,
-    codeChallenge,
-    scopes: grantedScopes,
-    subject: result.subject,
-    expiresAt: Date.now() + ttl * 1e3
-  });
-  const url = new URL(redirectUri);
-  url.searchParams.set("code", code);
-  if (state) url.searchParams.set("state", state);
-  ctx.redirect(url.toString());
-};
-/** Handles Dynamic Client Registration (RFC 7591) requests. */
-var handleRegister = async (ctx, clientStore) => {
-  const metadata = ctx.request.body ?? {};
-  const redirectUris = metadata.redirect_uris;
-  if (!Array.isArray(redirectUris) || redirectUris.length === 0 || !redirectUris.every(uri => {
-    return typeof uri === "string";
-  })) {
-    sendOAuthError(ctx, 400, "invalid_redirect_uri", "redirect_uris is required and must be an array of strings");
-    return;
-  }
-  const tokenAuthMethod = asString(metadata.token_endpoint_auth_method) ?? "client_secret_basic";
-  const isPublic = tokenAuthMethod === "none";
-  const client = {
-    ...metadata,
-    client_id: generateToken(16),
-    redirect_uris: redirectUris,
-    token_endpoint_auth_method: tokenAuthMethod,
-    grant_types: metadata.grant_types ?? ["authorization_code", "refresh_token"],
-    response_types: metadata.response_types ?? ["code"],
-    client_id_issued_at: Math.floor(Date.now() / 1e3)
-  };
-  if (!isPublic) {
-    client.client_secret = generateToken(32);
-    client.client_secret_expires_at = 0;
-  }
-  await clientStore.register(client);
-  ctx.status = 201;
-  ctx.body = client;
-};
-//#endregion
-//#region src/authServer.ts
-/**
-* Creates transport-agnostic OAuth 2.1 Authorization Server primitives for MCP.
-*
-* Mounts the authorization endpoint (`/authorize`, PKCE S256 required), token
-* endpoint (`/token`, `authorization_code` + `refresh_token` grants), Dynamic
-* Client Registration (`/register`, RFC 7591), and AS metadata discovery
-* (`/.well-known/oauth-authorization-server`, RFC 8414). When `resource` is
-* set, it also serves the protected-resource metadata (RFC 9728).
-*
-* ttoss owns only the protocol mechanics — the app supplies its own stores,
-* token signing/verification, and login/consent UI through the option hooks, so
-* the user model, JWT/IAM, and authentication never leave the consuming app.
-*
-* @param options - Authorization server configuration and pluggable hooks.
-* @returns A Koa `Router` exposing `routes()` / `allowedMethods()`.
-*
-* @example
-* ```typescript
-* import { App, bodyParser } from '@ttoss/http-server';
-* import { createMcpAuthServer } from '@ttoss/http-server-mcp';
-*
-* const authServer = createMcpAuthServer({
-*   issuer: 'https://api.soat.dev',
-*   clientStore,
-*   authCodeStore,
-*   issueTokens: async ({ subject, scopes }) => ({
-*     accessToken: signJwt({ sub: subject, scope: scopes.join(' ') }),
-*     refreshToken: createRefreshToken(subject),
-*     expiresIn: 3600,
-*   }),
-*   onAuthorize: async ({ ctx }) => {
-*     const session = await getSession(ctx);
-*     if (!session) {
-*       ctx.redirect('/login');
-*       return { approved: false };
-*     }
-*     return { approved: true, subject: session.userId };
-*   },
-*   scopesSupported: ['mcp:access'],
-* });
-*
-* const app = new App();
-* app.use(bodyParser());
-* app.use(authServer.routes());
-* ```
-*/
-var createMcpAuthServer = options => {
-  const {
-    issuer,
-    clientStore,
-    scopesSupported,
-    resource
-  } = options;
-  const authorizePath = options.endpoints?.authorize ?? "/authorize";
-  const tokenPath = options.endpoints?.token ?? "/token";
-  const registerPath = options.endpoints?.register ?? "/register";
-  const router = new _ttoss_http_server.Router();
-  router.get("/.well-known/oauth-authorization-server", ctx => {
-    ctx.body = {
-      issuer,
-      authorization_endpoint: joinUrl(issuer, authorizePath),
-      token_endpoint: joinUrl(issuer, tokenPath),
-      registration_endpoint: joinUrl(issuer, registerPath),
-      response_types_supported: ["code"],
-      grant_types_supported: ["authorization_code", "refresh_token"],
-      code_challenge_methods_supported: ["S256"],
-      token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post", "none"],
-      ...(scopesSupported ? {
-        scopes_supported: scopesSupported
-      } : {})
-    };
-  });
-  if (resource) router.get("/.well-known/oauth-protected-resource", ctx => {
-    ctx.body = {
-      resource,
-      authorization_servers: [issuer]
-    };
-  });
-  router.get(authorizePath, async ctx => {
-    const clientId = asString(ctx.query.client_id);
-    if (!clientId) {
-      sendOAuthError(ctx, 400, "invalid_request", "client_id is required");
-      return;
-    }
-    const client = await clientStore.get(clientId);
-    if (!client) {
-      sendOAuthError(ctx, 400, "invalid_client", "unknown client_id");
-      return;
-    }
-    const redirectUri = asString(ctx.query.redirect_uri);
-    if (!redirectUri || !client.redirect_uris.includes(redirectUri)) {
-      sendOAuthError(ctx, 400, "invalid_request", "redirect_uri is missing or not registered for this client");
-      return;
-    }
-    await handleAuthorize(ctx, options, redirectUri);
-  });
-  router.post(tokenPath, async ctx => {
-    const body = ctx.request.body ?? {};
-    const grantType = asString(body.grant_type);
-    if (grantType === "authorization_code") {
-      await handleAuthorizationCodeGrant(ctx, body, options);
-      return;
-    }
-    if (grantType === "refresh_token") {
-      await handleRefreshTokenGrant(ctx, body, options);
-      return;
-    }
-    sendOAuthError(ctx, 400, "unsupported_grant_type", "grant_type must be authorization_code or refresh_token");
-  });
-  router.post(registerPath, async ctx => {
-    await handleRegister(ctx, clientStore);
-  });
-  return router;
-};
-//#endregion
-//#region src/index.ts
 var requestContextStore = new node_async_hooks.AsyncLocalStorage();
 /**
 * Generic HTTP helper for use inside MCP tool handlers.
@@ -630,10 +206,37 @@ var createMcpRouter = (server, options = {}) => {
     return result;
   };
   const router = new _ttoss_http_server.Router();
-  if (auth) registerAuthRoutes(router, path, auth, buildTokenVerifier(auth));
+  if (auth) {
+    const verifyToken = buildVerifyToken(auth);
+    const publicMethods = new Set(auth.publicMethods ?? DEFAULT_PUBLIC_METHODS);
+    const verify = (0, _ttoss_http_server_auth.authMiddleware)({
+      strategies: ["oauth"],
+      oauth: {
+        verify: token => {
+          return verifyToken(token);
+        },
+        requiredScopes: auth.requiredScopes
+      },
+      resourceMetadataUrl: auth.resourceMetadataUrl
+    });
+    router.use(path, async (ctx, next) => {
+      const method = ctx.request.body?.method;
+      if (publicMethods.has(method ?? "")) {
+        await next();
+        return;
+      }
+      await verify(ctx, next);
+    });
+    if (auth.resourceServerUrl && auth.authorizationServerUrl) router.get("/.well-known/oauth-protected-resource", ctx => {
+      ctx.body = {
+        resource: auth.resourceServerUrl,
+        authorization_servers: [auth.authorizationServerUrl]
+      };
+    });
+  }
   const handleWithContext = async (ctx, body) => {
     const apiHeaders = getApiHeaders ? getApiHeaders(ctx) : {};
-    const identity = ctx.state.identity;
+    const identity = ctx.state.user;
     const runRequest = async transport => {
       await transport.handleRequest(ctx.req, ctx.res, body);
       ctx.respond = false;
@@ -775,62 +378,6 @@ var registerToolFromSchema = (server, params) => {
     });
   }
 };
-/**
-* Returns the `WWW-Authenticate` header value for a 401 response on a
-* protected resource, following the MCP auth spec requirement that
-* unauthorized responses advertise the resource metadata URL so MCP
-* clients can bootstrap OAuth discovery.
-*
-* Use this in your own auth middleware when you are not using the built-in
-* `auth` option on `createMcpRouter`.
-*
-* @example
-* ```typescript
-* import { getWwwAuthenticateHeader } from '@ttoss/http-server-mcp';
-*
-* // Inside a Koa middleware
-* ctx.status = 401;
-* ctx.set('WWW-Authenticate', getWwwAuthenticateHeader({ resource: 'https://mcp.example.com' }));
-* ```
-*/
-var getWwwAuthenticateHeader = args => {
-  return `Bearer resource_metadata="${`${args.resource.replace(/\/$/, "")}/.well-known/oauth-protected-resource`}"`;
-};
-/**
-* Creates a standalone Koa middleware that serves
-* `GET /.well-known/oauth-protected-resource` (RFC 9728) without requiring
-* the built-in `auth` option on `createMcpRouter`.
-*
-* Mount this **before** your own auth middleware so the discovery endpoint
-* remains unauthenticated (MCP clients fetch it before they have a token).
-*
-* @example
-* ```typescript
-* import Koa from 'koa';
-* import { createProtectedResourceMetadataMiddleware } from '@ttoss/http-server-mcp';
-*
-* const app = new Koa();
-* app.use(
-*   createProtectedResourceMetadataMiddleware({
-*     resource: 'https://mcp.example.com',
-*     authorizationServers: ['https://api.example.com'],
-*   })
-* );
-* app.use(myOwnAuthMiddleware);
-* ```
-*/
-var createProtectedResourceMetadataMiddleware = args => {
-  return async (ctx, next) => {
-    if (ctx.method === "GET" && ctx.path === "/.well-known/oauth-protected-resource") {
-      ctx.body = {
-        resource: args.resource,
-        authorization_servers: args.authorizationServers
-      };
-      return;
-    }
-    await next();
-  };
-};
 //#endregion
 Object.defineProperty(exports, 'McpServer', {
@@ -841,11 +388,8 @@ Object.defineProperty(exports, 'McpServer', {
 });
 exports.apiCall = apiCall;
 exports.checkScopes = checkScopes;
-exports.createMcpAuthServer = createMcpAuthServer;
 exports.createMcpRouter = createMcpRouter;
-exports.createProtectedResourceMetadataMiddleware = createProtectedResourceMetadataMiddleware;
 exports.getIdentity = getIdentity;
-exports.getWwwAuthenticateHeader = getWwwAuthenticateHeader;
 exports.registerToolFromSchema = registerToolFromSchema;
 Object.defineProperty(exports, 'z', {
   enumerable: true,