A comprehensive Model Context Protocol (MCP) server boilerplate built with TypeScript and Streamable HTTP transport with an OAuth Proxy for 3rd party authorization servers like Auth0.
Github: https://github.com/chrisleekr/mcp-server-boilerplate
Features
- MCP Server implementation: HTTP-Based Streamable transport using
@modelcontextprotocol/sdk with HTTP transport, session management, and tool execution.
- OAuth authentication/3rd party authorization: Implements an OAuth server for MCP clients to process 3rd party authorization servers like Auth0, providing Dynamic Application Registration for MCP server.
- Storage: Provide storage for MCP server to store data like OAuth sessions, tokens, etc.
- Built-in sample tools:
echo, system-time, project for demonstration.
Why this project exists?
- The Model Context Protocol spec https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#dynamic-client-registration because it provides a standardized way for MCP clients to automatically register with new servers and obtain OAuth client IDs without user interaction. The main reason for this mechanism is because MCP clients can't know all possible services in advance and manual registration would create significant effort for users and it is not scalable. If do not support Dynamic Application Registration, then MCP clients need to provide OAuth client ID and secret to the server, which is not secure and not scalable.
- However, enabling Dynamic Application Registration (if supported) becomes a https://github.com/auth0/docs/blob/master/articles/api-auth/dynamic-client-registration.md#enable-dynamic-registration because the endpoint is a public endpoint that anyone can create OAuth clients. It can easily be abused, such as by flooding with unwanted client registrations. Hence, Auth0 has disabled Dynamic Application Registration
- As a result, this project provides a way to enable Dynamic Application Registration for MCP server by using OAuth Proxy, but delegating authorization to 3rd party authorization server like Auth0, Github, Google, etc.