Add docs for server-level auth #583
Open
+717
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
EricGustin
changed the title
EricGustin
changed the title
evantahler
reviewed
Dec 3, 2025
| "providing-useful-tool-errors": "Providing useful tool errors", | ||
| "retry-tools-with-improved-prompt": "Retry tools with improved prompt", | ||
| "call-tools-from-mcp-clients": "Call tools from MCP clients", | ||
| "secure-your-mcp-server": "Secure Your MCP Server with OAuth", |
Contributor
There was a problem hiding this comment.
You probably want to pull in main and merge this with https://docs.arcade.dev/en/home/serve-tools/securing-arcade-mcp
| import { Steps, Tabs, Callout } from "nextra/components"; | ||
|
|
||
| # Adding Resource Server Authentication to Your MCP Server | ||
|
|
Contributor
There was a problem hiding this comment.
This is rather technical - I think we should start with something a little higher level (so... you want to deploy this thing, but need to protect it...). I think you can steal from https://docs.arcade.dev/en/home/serve-tools/securing-arcade-mcp
| Resource Server authentication solves this by: | ||
|
|
||
| 1. **Authenticating every request** - Validates the Bearer token before processing any MCP messages | ||
| 2. **Extracting user identity** - The token's `sub` claim becomes the `context.user_id` for tool execution |
|
|
||
| 1. **Authenticating every request** - Validates the Bearer token before processing any MCP messages | ||
| 2. **Extracting user identity** - The token's `sub` claim becomes the `context.user_id` for tool execution | ||
| 3. **Enabling secure tools** - Tools requiring authorization or secrets can now safely execute over HTTP |
Contributor
There was a problem hiding this comment.
Suggested change
| 3. **Enabling secure tools** - Tools requiring authorization or secrets can now safely execute over HTTP | |
| 3. **Enabling secure tools** - Tools requiring authorization or secrets can now safely execute over HTTP - but authenticated tools will still require authenticating to the downstream service |
Comment on lines
+118
to
+132
| resource_server = ResourceServer( | ||
| canonical_url="http://127.0.0.1:8000/mcp", | ||
| authorization_servers=[ | ||
| AuthorizationServerEntry( | ||
| authorization_server_url="https://your-workos.authkit.app", | ||
| issuer="https://your-workos.authkit.app", | ||
| jwks_uri="https://your-workos.authkit.app/oauth2/jwks", | ||
| algorithm="RS256", | ||
| # Authkit doesn't set the aud claim as the MCP server's canonical URL | ||
| validation_options=AccessTokenValidationOptions( | ||
| verify_aud=False, | ||
| ), | ||
| ) | ||
| ], | ||
| ) |
Contributor
There was a problem hiding this comment.
That's not so bad at all!
Comment on lines
+8
to
+10
| # Server-Level vs Tool-Level Authorization | ||
|
|
||
| Arcade MCP servers support two distinct layers of authorization that work together to provide comprehensive security. Understanding the difference is crucial for building secure, production-ready MCP servers. |
Contributor
There was a problem hiding this comment.
This page is a very good idea!
Comment on lines
+65
to
+66
| <Tabs items={["ResourceServer (Recommended)", "JWKSTokenValidator (Simple)"]}> | ||
| <Tabs.Tab> |
Contributor
There was a problem hiding this comment.
I think we need to talk about how things work when you arcade deploy too - in that we handle all of this for you (always be selling). Can arcade deploy be the first tab?
| | **Required for** | HTTP servers in production | Tools that access user data from APIs | | ||
| | **Configuration** | `MCPApp(auth=resource_server)` | `@app.tool(requires_auth=GitHub(...))` | | ||
|
|
||
| ## Resource Server Authentication (Server-Level) |
Contributor
There was a problem hiding this comment.
again, talk about how if you arcade deploy, we handle this all for you
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Documentation for ArcadeAI/arcade-mcp#696
Two new pages:
Update one page:
Note
Adds docs and examples for securing HTTP MCP servers with OAuth 2.1 resource server auth, clarifies server- vs tool-level auth, and updates navigation and securing guide.
app/en/home/build-tools/secure-your-mcp-server/page.mdx:ResourceServer, multipleAuthorizationServerEntry, env var config, andJWKSTokenValidator.app/en/home/build-tools/server-level-vs-tool-level-auth/page.mdx:app/en/home/serve-tools/securing-arcade-mcp/page.mdxto add OAuth Resource Server Authentication section and link to the new guide.app/en/home/build-tools/_meta.tsxto addsecure-your-mcp-serverandserver-level-vs-tool-level-authentries.Written by Cursor Bugbot for commit bbbc0fd. This will update automatically on new commits. Configure here.