UNPKG

@modelcontextprotocol/sdk

Version:

Model Context Protocol implementation for TypeScript

modelcontextprotocol.io

modelcontextprotocol/typescript-sdk

191 lines 8.83 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
import type { OAuthClientMetadata, OAuthClientInformation, OAuthTokens, OAuthMetadata, OAuthClientInformationFull, OAuthProtectedResourceMetadata } from "../shared/auth.js"; /** * Implements an end-to-end OAuth client to be used with one MCP server. * * This client relies upon a concept of an authorized "session," the exact * meaning of which is application-defined. Tokens, authorization codes, and * code verifiers should not cross different sessions. */ export interface OAuthClientProvider { /** * The URL to redirect the user agent to after authorization. */ get redirectUrl(): string | URL; /** * Metadata about this OAuth client. */ get clientMetadata(): OAuthClientMetadata; /** * Returns a OAuth2 state parameter. */ state?(): string | Promise<string>; /** * Loads information about this OAuth client, as registered already with the * server, or returns `undefined` if the client is not registered with the * server. */ clientInformation(): OAuthClientInformation | undefined | Promise<OAuthClientInformation | undefined>; /** * If implemented, this permits the OAuth client to dynamically register with * the server. Client information saved this way should later be read via * `clientInformation()`. * * This method is not required to be implemented if client information is * statically known (e.g., pre-registered). */ saveClientInformation?(clientInformation: OAuthClientInformationFull): void | Promise<void>; /** * Loads any existing OAuth tokens for the current session, or returns * `undefined` if there are no saved tokens. */ tokens(): OAuthTokens | undefined | Promise<OAuthTokens | undefined>; /** * Stores new OAuth tokens for the current session, after a successful * authorization. */ saveTokens(tokens: OAuthTokens): void | Promise<void>; /** * Invoked to redirect the user agent to the given URL to begin the authorization flow. */ redirectToAuthorization(authorizationUrl: URL): void | Promise<void>; /** * Saves a PKCE code verifier for the current session, before redirecting to * the authorization flow. */ saveCodeVerifier(codeVerifier: string): void | Promise<void>; /** * Loads the PKCE code verifier for the current session, necessary to validate * the authorization result. */ codeVerifier(): string | Promise<string>; /** * Adds custom client authentication to OAuth token requests. * * This optional method allows implementations to customize how client credentials * are included in token exchange and refresh requests. When provided, this method * is called instead of the default authentication logic, giving full control over * the authentication mechanism. * * Common use cases include: * - Supporting authentication methods beyond the standard OAuth 2.0 methods * - Adding custom headers for proprietary authentication schemes * - Implementing client assertion-based authentication (e.g., JWT bearer tokens) * * @param headers - The request headers (can be modified to add authentication) * @param params - The request body parameters (can be modified to add credentials) * @param url - The token endpoint URL being called * @param metadata - Optional OAuth metadata for the server, which may include supported authentication methods */ addClientAuthentication?(headers: Headers, params: URLSearchParams, url: string | URL, metadata?: OAuthMetadata): void | Promise<void>; /** * If defined, overrides the selection and validation of the * RFC 8707 Resource Indicator. If left undefined, default * validation behavior will be used. * * Implementations must verify the returned resource matches the MCP server. */ validateResourceURL?(serverUrl: string | URL, resource?: string): Promise<URL | undefined>; } export type AuthResult = "AUTHORIZED" | "REDIRECT"; export declare class UnauthorizedError extends Error { constructor(message?: string); } /** * Orchestrates the full auth flow with a server. * * This can be used as a single entry point for all authorization functionality, * instead of linking together the other lower-level functions in this module. */ export declare function auth(provider: OAuthClientProvider, { serverUrl, authorizationCode, scope, resourceMetadataUrl }: { serverUrl: string | URL; authorizationCode?: string; scope?: string; resourceMetadataUrl?: URL; }): Promise<AuthResult>; export declare function selectResourceURL(serverUrl: string | URL, provider: OAuthClientProvider, resourceMetadata?: OAuthProtectedResourceMetadata): Promise<URL | undefined>; /** * Extract resource_metadata from response header. */ export declare function extractResourceMetadataUrl(res: Response): URL | undefined; /** * Looks up RFC 9728 OAuth 2.0 Protected Resource Metadata. * * If the server returns a 404 for the well-known endpoint, this function will * return `undefined`. Any other errors will be thrown as exceptions. */ export declare function discoverOAuthProtectedResourceMetadata(serverUrl: string | URL, opts?: { protocolVersion?: string; resourceMetadataUrl?: string | URL; }): Promise<OAuthProtectedResourceMetadata>; /** * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata. * * If the server returns a 404 for the well-known endpoint, this function will * return `undefined`. Any other errors will be thrown as exceptions. */ export declare function discoverOAuthMetadata(issuer: string | URL, { authorizationServerUrl, protocolVersion, }?: { authorizationServerUrl?: string | URL; protocolVersion?: string; }): Promise<OAuthMetadata | undefined>; /** * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL. */ export declare function startAuthorization(authorizationServerUrl: string | URL, { metadata, clientInformation, redirectUrl, scope, state, resource, }: { metadata?: OAuthMetadata; clientInformation: OAuthClientInformation; redirectUrl: string | URL; scope?: string; state?: string; resource?: URL; }): Promise<{ authorizationUrl: URL; codeVerifier: string; }>; /** * Exchanges an authorization code for an access token with the given server. * * Supports multiple client authentication methods as specified in OAuth 2.1: * - Automatically selects the best authentication method based on server support * - Falls back to appropriate defaults when server metadata is unavailable * * @param authorizationServerUrl - The authorization server's base URL * @param options - Configuration object containing client info, auth code, etc. * @returns Promise resolving to OAuth tokens * @throws {Error} When token exchange fails or authentication is invalid */ export declare function exchangeAuthorization(authorizationServerUrl: string | URL, { metadata, clientInformation, authorizationCode, codeVerifier, redirectUri, resource, addClientAuthentication }: { metadata?: OAuthMetadata; clientInformation: OAuthClientInformation; authorizationCode: string; codeVerifier: string; redirectUri: string | URL; resource?: URL; addClientAuthentication?: OAuthClientProvider["addClientAuthentication"]; }): Promise<OAuthTokens>; /** * Exchange a refresh token for an updated access token. * * Supports multiple client authentication methods as specified in OAuth 2.1: * - Automatically selects the best authentication method based on server support * - Preserves the original refresh token if a new one is not returned * * @param authorizationServerUrl - The authorization server's base URL * @param options - Configuration object containing client info, refresh token, etc. * @returns Promise resolving to OAuth tokens (preserves original refresh_token if not replaced) * @throws {Error} When token refresh fails or authentication is invalid */ export declare function refreshAuthorization(authorizationServerUrl: string | URL, { metadata, clientInformation, refreshToken, resource, addClientAuthentication, }: { metadata?: OAuthMetadata; clientInformation: OAuthClientInformation; refreshToken: string; resource?: URL; addClientAuthentication?: OAuthClientProvider["addClientAuthentication"]; }): Promise<OAuthTokens>; /** * Performs OAuth 2.0 Dynamic Client Registration according to RFC 7591. */ export declare function registerClient(authorizationServerUrl: string | URL, { metadata, clientMetadata, }: { metadata?: OAuthMetadata; clientMetadata: OAuthClientMetadata; }): Promise<OAuthClientInformationFull>; //# sourceMappingURL=auth.d.ts.map