ALPHA

OAuth for MCP, solved.

Stop implementing RFC 9728, PKCE, DCR, and token management from scratch. Point your MCP server's authorization_servers here and ship your product.

// Your MCP server's Protected Resource Metadata
// GET /.well-known/oauth-protected-resource
{
  "resource": "https://your-mcp.com/mcp",
  "authorization_servers": ["https://authkit.opzero.sh"],
  "bearer_methods_supported": ["header"]
}

// That's it. AuthKit handles everything else:
// ✓ Dynamic Client Registration (RFC 7591)
// ✓ PKCE S256 challenge/verification
// ✓ Consent screen with login/signup
// ✓ Token issuance & refresh
// ✓ Token revocation

How it works

Register your MCP server, get a server ID, and point your PRM to AuthKit. When Claude, ChatGPT, or any MCP client connects, AuthKit handles the full OAuth dance — registration, consent, tokens — and your server just validates the Bearer token.

🔌 Plug & Play

One JSON change to your PRM. No OAuth code in your server.

📋 Spec Compliant

RFC 9728, 8414, 7591, OAuth 2.1 with PKCE. Passes Claude's validation.

⚡ Edge Deployed

Runs on Cloudflare Workers. Sub-50ms auth worldwide.

🔑 Token Validation

Simple API to validate tokens in your MCP server middleware.

Endpoints

GET  /.well-known/oauth-authorization-server
POST /oauth/register    ← Dynamic Client Registration
GET  /oauth/authorize   ← Authorization + Consent UI
POST /oauth/token      ← Code → Tokens (PKCE)
POST /oauth/revoke     ← Token revocation
GET  /oauth/userinfo    ← User info from token
GET  /prm/{server_id}   ← Auto-generated PRM
POST /api/servers      ← Register your MCP server
MCP AuthKit — by OpZero.sh