About
Open MCP Auth Proxy is a lightweight middleware that enforces the Model Context Protocol authorization specification. It validates JWTs, negotiates protocol versions, and integrates with any OAuth/OIDC provider to protect MCP servers.
Capabilities
Overview
The Open MCP Auth Proxy is a lightweight, high‑performance gateway that sits between an MCP client and an MCP server to enforce the Model Context Protocol’s authorization rules. By translating standard OAuth/OIDC tokens into MCP‑specific permissions, it removes the need for each MCP server to implement its own token validation logic. This solves a common pain point in AI‑assistant ecosystems: how to keep authorization consistent, auditable, and centrally managed while still allowing servers to focus on delivering resources, tools, or prompts.
At its core, the proxy validates JWTs against an identity provider’s JWKS endpoint, checks the claim and scopes, and then injects the resulting authorization metadata into the MCP request headers. It supports any OAuth/OIDC provider—Asgardeo, Auth0, Keycloak, or custom solutions—making it adaptable to existing enterprise identity infrastructures. The proxy also negotiates MCP protocol versions via the header, ensuring backward compatibility with older servers and clients.
Key capabilities include:
- Dynamic Authorization: Enforces MCP authorization specifications on every request, allowing fine‑grained access control for tools and resources.
- Flexible Transport: Works with STDIO, SSE, or streamable HTTP transports, enabling seamless integration across diverse client architectures.
- Protocol Version Negotiation: Automatically selects the appropriate MCP version supported by both proxy and server.
- Scalable Configuration: A single YAML file defines the MCP endpoint, supported scopes, audience, and identity provider details, simplifying deployment.
Real‑world use cases are plentiful. A SaaS platform that exposes a set of AI tools can deploy the proxy to gate access based on user roles stored in an existing Keycloak realm, while developers still interact with the underlying MCP server unchanged. In research labs, the proxy can enforce that only authenticated researchers with specific scopes can invoke computational resources, ensuring compliance with institutional policies. For rapid prototyping, the demo mode ships with a pre‑configured Asgardeo sandbox, letting teams validate their MCP clients in minutes.
By centralizing token validation and scope enforcement, the Open MCP Auth Proxy gives developers a single point of control for security while preserving the lightweight, transport‑agnostic nature of MCP. This makes it an essential component for any production AI assistant that needs to scale securely across multiple identity providers and deployment environments.
Related Servers
Netdata
Real‑time infrastructure monitoring for every metric, every second.
Awesome MCP Servers
Curated list of production-ready Model Context Protocol servers
JumpServer
Browser‑based, open‑source privileged access management
OpenTofu
Infrastructure as Code for secure, efficient cloud management
FastAPI-MCP
Expose FastAPI endpoints as MCP tools with built‑in auth
Pipedream MCP Server
Event‑driven integration platform for developers
Weekly Views
Server Health
Information
Explore More Servers
PlayFab MCP Server
AI‑enabled bridge to PlayFab services
Azure DevOps MCP Server
Bridge AI assistants to Azure DevOps with Model Context Protocol
Python MCP Demo Server
FastAPI-powered MCP server for quick prototyping
Google Analytics MCP Server
Natural language access to GA4 data for Claude and Cursor
CentralMind Gateway
AI‑Optimized Database API in Minutes
MCP-Jest
Automated testing for Model Context Protocol servers, like Jest but for MCP