Merge pull request #36 from modelcontextprotocol/claude/unauthenticated-mcp-endpoints-MsnNd

Remove OAuth authentication from example MCP app servers

Author: ochafik

src/index.ts

@@ -170,7 +170,6 @@ async function main() {
     // Mount Example Apps module (MCP Apps servers at /:slug/mcp)
     const exampleAppsModule = new ExampleAppsModule(
       { baseUri: config.baseUri },
-      tokenValidator
     );
     app.use('/', exampleAppsModule.getRouter());
 

src/modules/example-apps/index.ts

@@ -1,20 +1,18 @@
 /**
  * Example Apps Module - Mounts ext-apps example servers at /:slug/mcp
  *
- * Each example MCP App server is mounted at its own path, sharing the same
- * OAuth authentication as the main MCP server.
+ * Each example MCP App server is mounted at its own path without authentication.
+ * The root /mcp endpoint requires OAuth bearer token authentication, but these
+ * additional example servers are publicly accessible.
  *
  * These servers run in STATELESS mode - each request creates a fresh server
  * instance without maintaining session state across requests.
  */
 
 import { Router, Request, Response, NextFunction } from 'express';
 import cors from 'cors';
-import { BearerAuthMiddlewareOptions, requireBearerAuth } from '@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js';
-import { getOAuthProtectedResourceMetadataUrl } from '@modelcontextprotocol/sdk/server/auth/router.js';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
-import { ITokenValidator } from '../../interfaces/auth-validator.js';
 import { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
 import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
 
@@ -66,7 +64,6 @@ export class ExampleAppsModule {
 
   constructor(
     private config: ExampleAppsConfig,
-    private tokenValidator: ITokenValidator
   ) {
     this.router = this.setupRouter();
   }
@@ -94,13 +91,6 @@ export class ExampleAppsModule {
       next();
     };
 
-    // Bearer auth middleware
-    const bearerAuthOptions: BearerAuthMiddlewareOptions = {
-      verifier: this.tokenValidator,
-      resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(new URL(this.config.baseUri))
-    };
-    const bearerAuth = requireBearerAuth(bearerAuthOptions);
-
     // Handler for /:slug/mcp - stateless: each request creates a fresh server
     const handleExampleMcp = async (req: Request, res: Response) => {
       const { slug } = req.params;
@@ -155,10 +145,10 @@ export class ExampleAppsModule {
       }
     };
 
-    // Mount routes for each example server
-    router.get('/:slug/mcp', cors(corsOptions), bearerAuth, securityHeaders, handleExampleMcp);
-    router.post('/:slug/mcp', cors(corsOptions), bearerAuth, securityHeaders, handleExampleMcp);
-    router.delete('/:slug/mcp', cors(corsOptions), bearerAuth, securityHeaders, handleExampleMcp);
+    // Mount routes for each example server (unauthenticated)
+    router.get('/:slug/mcp', cors(corsOptions), securityHeaders, handleExampleMcp);
+    router.post('/:slug/mcp', cors(corsOptions), securityHeaders, handleExampleMcp);
+    router.delete('/:slug/mcp', cors(corsOptions), securityHeaders, handleExampleMcp);
 
     return router;
   }