@frontmcp/auth

@frontmcp/auth

Authentication, session management, and credential vault for FrontMCP servers.

Install

npm install @frontmcp/auth

Typically consumed via @frontmcp/sdk — direct installation is only needed for advanced use cases.

Features

• Remote OAuth — delegate authentication to an external IdP with optional DCR (docs)
• Local OAuth — built-in token issuance with configurable sign keys (docs)
• JWKS validation — JSON Web Key Set discovery and token verification (docs)
• OAuth stores — session, token, and authorization code persistence (memory, Redis, Vercel KV) (docs)
• Credential vault — encrypted storage for secrets and API keys (docs)
• PKCE — Proof Key for Code Exchange (RFC 7636) built on @frontmcp/utils crypto (docs)
• CIMD — Client Instance Machine Detection for session continuity (docs)
• Auth UI templates — consent, login, and error pages (docs)
• Audience validation — per-app audience and scope enforcement (docs)
• Token vault — secure token exchange and refresh management (docs)

Quick Example

import { FrontMcp, App } from '@frontmcp/sdk';

@FrontMcp({
  info: { name: 'Secure Server', version: '1.0.0' },
  apps: [MyApp],
  auth: {
    type: 'remote',
    name: 'my-idp',
    baseUrl: 'https://idp.example.com',
  },
})
export default class Server {}

Full guide: Authentication Overview

Docs

Topic	Link
Overview	Authentication Overview
Remote OAuth	Remote OAuth
Local OAuth	Local OAuth
JWKS	JWKS Validation
Session stores	Session Stores
Credential vault	Credential Vault
PKCE	PKCE
CIMD	Client Instance Machine Detection
Auth UI	Auth UI Templates
Audience & scopes	Audience Validation
Token vault	Token Vault

Related Packages

• @frontmcp/sdk — core framework (imports auth internally)
• @frontmcp/utils — crypto primitives used by PKCE and vault
• @frontmcp/ui — consent and login page components

License

Apache-2.0 — see LICENSE.