Documentation / @agentick/mcp / OAuthProvider
Interface: OAuthProvider
Defined in: client/oauth.ts:42
OAuth provider hooks for MCP client authentication.
Implementations control how tokens are stored, how the user is directed to authorize, and how client registration is persisted. The MCP client handles discovery, PKCE, token exchange, and refresh automatically via the SDK transports.
For most use cases, use DefaultOAuthProvider which provides in-memory storage and emits events for authorization. For production, implement this interface with persistent storage (file, DB, etc.).
Properties
clientMetadata
clientMetadata:
object
Defined in: client/oauth.ts:46
OAuth client metadata for dynamic registration (RFC 7591).
redirectUrl
redirectUrl:
string|URL|undefined
Defined in: client/oauth.ts:49
Redirect URI for the authorization callback. undefined for non-interactive flows.
Methods
loadClientInfo()
loadClientInfo():
OAuthClientInformationMixed|Promise<OAuthClientInformationMixed | undefined> |undefined
Defined in: client/oauth.ts:60
Load stored client registration info, or undefined if not registered.
Returns
OAuthClientInformationMixed | Promise<OAuthClientInformationMixed | undefined> | undefined
loadCodeVerifier()?
optionalloadCodeVerifier():string|Promise<string>
Defined in: client/oauth.ts:102
Load PKCE code verifier. Default: in-memory.
Returns
string | Promise<string>
loadDiscoveryState()?
optionalloadDiscoveryState():OAuthDiscoveryState|Promise<OAuthDiscoveryState|undefined> |undefined
Defined in: client/oauth.ts:110
Load cached discovery state.
Returns
OAuthDiscoveryState | Promise<OAuthDiscoveryState | undefined> | undefined
loadTokens()
loadTokens(): { } |
Promise<{ } |undefined> |undefined
Defined in: client/oauth.ts:54
Load stored tokens for this server, or undefined if none.
Returns
{ } | Promise<{ } | undefined> | undefined
onInvalidateCredentials()?
optionalonInvalidateCredentials(scope):void|Promise<void>
Defined in: client/oauth.ts:115
Called when credentials are invalidated (server rejected token).
Parameters
scope
"client" | "all" | "tokens" | "verifier" | "discovery"
Returns
void | Promise<void>
redirectToAuthorization()
redirectToAuthorization(
url):void|Promise<void>
Defined in: client/oauth.ts:78
Direct the user to the authorization URL to begin the OAuth flow.
Environments implement this differently:
- CLI: open system browser, start local HTTP callback server
- Server/gateway: store pending auth state, return URL to caller
- Embedded: post message to parent frame
Parameters
url
URL
Returns
void | Promise<void>
saveClientInfo()
saveClientInfo(
info):void|Promise<void>
Defined in: client/oauth.ts:66
Save client registration info after dynamic registration.
Parameters
info
OAuthClientInformationMixed
Returns
void | Promise<void>
saveCodeVerifier()?
optionalsaveCodeVerifier(verifier):void|Promise<void>
Defined in: client/oauth.ts:99
Save PKCE code verifier. Default: in-memory.
Parameters
verifier
string
Returns
void | Promise<void>
saveDiscoveryState()?
optionalsaveDiscoveryState(state):void|Promise<void>
Defined in: client/oauth.ts:107
Save discovery state to avoid re-discovery on reconnect.
Parameters
state
OAuthDiscoveryState
Returns
void | Promise<void>
saveTokens()
saveTokens(
tokens):void|Promise<void>
Defined in: client/oauth.ts:57
Save tokens after successful auth or refresh.
Parameters
tokens
Returns
void | Promise<void>
waitForAuthorizationCode()
waitForAuthorizationCode():
Promise<string|undefined>
Defined in: client/oauth.ts:94
Wait for the authorization code after the user completes the browser flow.
This is called after redirectToAuthorization when the SDK transport throws UnauthorizedError. The connect loop blocks on this promise until the code arrives, then calls transport.finishAuth(code).
Implementations:
- CLI: resolve when the local callback server receives the redirect
- Server: resolve when the callback endpoint is hit
- Embedded: resolve when postMessage delivers the code
Return undefined to abort the auth flow (e.g., user cancelled).
Returns
Promise<string | undefined>