@descope/mcp-express
Advanced tools
This is a TypeScript-based Express library that leverages Descope auth and user management capabilities to allow you to easily add Model Context Protocol (MCP) Specification compliant-Authorization to your MCP Server. It implements the provider side of the OAuth 2.1 protocol with PKCE support, Dynamic Client Registration, and Authorization Server Metadata.
Before you begin, ensure you have:
npm install @descope/mcp-express
Get your credentials from the Descope Console
Create a .env file in your project root:
DESCOPE_PROJECT_ID=your_project_id
DESCOPE_MANAGEMENT_KEY=your_management_key
SERVER_URL=your_mcp_server_url
The
SERVER_URLis the URL of your MCP Server. eg.http://localhost:3000orhttps://mcp.example.com
dotenv:npm install dotenv
import "dotenv/config";
import express from "express";
import {
descopeMcpAuthRouter,
descopeMcpBearerAuth,
} from "@descope/mcp-express";
const app = express();
app.use(descopeMcpAuthRouter());
app.use(["/sse", "/message"], descopeMcpBearerAuth());
app.listen(3000);
The descopeMcpAuthRouter() function adds the metadata and route handlers (eg. dynamic client registration) to the server while the descopeMcpBearerAuth() function checks the request's headers for a Bearer token and, if found, attaches the Auth object to the request object under the auth key.
auth TypeScript type (optional)If you're using TypeScript, you can add a type declaration to get proper type checking for the auth property that gets attached to the Express request object. Create a new file (e.g., types/globals.d.ts) and add:
declare module "express-serve-static-core" {
interface Request {
/**
* Information about the validated access token, if the `descopeMcpBearerAuth` middleware was used.
* Contains user information and token details after successful authentication.
*/
auth?: AuthInfo;
}
}
This type declaration will:
auth property on request objectsExample usage in your route handlers:
app.post("/message", async (req, res) => {
// TypeScript now knows about req.auth
if (req.auth) {
// Access auth properties with full type support
console.log(req.auth.token);
console.log(req.auth.scopes);
}
});
You can configure dynamic client registration options when initializing the provider:
import express from "express";
import {
descopeMcpAuthRouter,
descopeMcpBearerAuth,
} from "@descope/mcp-express";
const app = express();
const provider = new DescopeMcpProvider({
// The below values are defaults and can be omitted
// if the environment variables are set and loaded
projectId: process.env["DESCOPE_PROJECT_ID"],
managementKey: process.env["DESCOPE_MANAGEMENT_KEY"],
serverUrl: process.env["SERVER_URL"],
dynamicClientRegistrationOptions: {
authPageUrl: `https://api.descope.com/login/${DESCOPE_PROJECT_ID}?flow=consent`,
permissionScopes: [
{
name: "get-schema",
description: "Allow getting the SQL schema",
},
{
name: "run-query",
description: "Allow executing a SQL query",
required: false,
},
],
},
});
// Add metadata and route handlers (eg. dynamic client registration)
app.use(descopeMcpAuthRouter(provider));
// Add bearer token validation
app.use(["/sse", "/message"], descopeMcpBearerAuth(provider));
app.listen(3000);
You can customize the token verification options by setting the verifyTokenOptions object:
import { descopeMcpBearerAuth, DescopeMcpProvider } from "@descope/mcp-express";
const provider = new DescopeMcpProvider({
verifyTokenOptions: {
requiredScopes: ["get-schema", "run-query"],
key: "descope-public-key",
},
});
The SDK implements the Model Context Protocol Auth Specification, providing:
This SDK implements OAuth 2.0/2.1 following these RFCs:
All OAuth schemas are implemented using Zod for runtime type validation.
This SDK includes code adapted from the official Model Context Protocol TypeScript SDK, which is licensed under the MIT License.
This project is licensed under the MIT License - see the LICENSE file for details.
FAQs
Descope Express MCP SDK
The npm package @descope/mcp-express receives a total of 242 weekly downloads. As such, @descope/mcp-express popularity was classified as not popular.
We found that @descope/mcp-express demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Maintainers back GitHub’s npm security overhaul but raise concerns about CI/CD workflows, enterprise support, and token management.
Product
Socket Firewall is a free tool that blocks malicious packages at install time, giving developers proactive protection against rising supply chain attacks.
Research
Socket uncovers malicious Rust crates impersonating fast_log to steal Solana and Ethereum wallet keys from source code.