Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Guidance for integrating MCP (Model Context Protocol) servers into Claude Code plugins.
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
references/authentication.md
1# MCP Authentication Patterns2Complete guide to authentication methods for MCP servers in Claude Code plugins.4## Overview6MCP servers support multiple authentication methods depending on the server type and service requirements. Choose the method that best matches your use case and security requirements.8## OAuth (Automatic)10### How It Works12Claude Code automatically handles the complete OAuth 2.0 flow for SSE and HTTP servers:141. User attempts to use MCP tool162. Claude Code detects authentication needed173. Opens browser for OAuth consent184. User authorizes in browser195. Tokens stored securely by Claude Code206. Automatic token refresh21### Configuration23```json25{26"service": {27"type": "sse",28"url": "https://mcp.example.com/sse"29}30}31```32No additional auth configuration needed! Claude Code handles everything.34### Supported Services36**Known OAuth-enabled MCP servers:**38- Asana: `https://mcp.asana.com/sse`39- GitHub (when available)40- Google services (when available)41- Custom OAuth servers42### OAuth Scopes44OAuth scopes are determined by the MCP server. Users see required scopes during the consent flow.46**Document required scopes in your README:**48```markdown49## Authentication50This plugin requires the following Asana permissions:52- Read tasks and projects53- Create and update tasks54- Access workspace data55```56### Token Storage58Tokens are stored securely by Claude Code:60- Not accessible to plugins61- Encrypted at rest62- Automatic refresh63- Cleared on sign-out64### Troubleshooting OAuth66**Authentication loop:**68- Clear cached tokens (sign out and sign in)69- Check OAuth redirect URLs70- Verify server OAuth configuration71**Scope issues:**73- User may need to re-authorize for new scopes74- Check server documentation for required scopes75**Token expiration:**77- Claude Code auto-refreshes78- If refresh fails, prompts re-authentication79## Token-Based Authentication81### Bearer Tokens83Most common for HTTP and WebSocket servers.85**Configuration:**87```json88{89"api": {90"type": "http",91"url": "https://api.example.com/mcp",92"headers": {93"Authorization": "Bearer ${API_TOKEN}"94}95}96}97```98**Environment variable:**100```bash101export API_TOKEN="your-secret-token-here"102```103### API Keys105Alternative to Bearer tokens, often in custom headers.107**Configuration:**109```json110{111"api": {112"type": "http",113"url": "https://api.example.com/mcp",114"headers": {115"X-API-Key": "${API_KEY}",116"X-API-Secret": "${API_SECRET}"117}118}119}120```121### Custom Headers123Services may use custom authentication headers.125**Configuration:**127```json128{129"service": {130"type": "sse",131"url": "https://mcp.example.com/sse",132"headers": {133"X-Auth-Token": "${AUTH_TOKEN}",134"X-User-ID": "${USER_ID}",135"X-Tenant-ID": "${TENANT_ID}"136}137}138}139```140### Documenting Token Requirements142Always document in your README:144```markdown146## Setup147### Required Environment Variables149Set these environment variables before using the plugin:151\`\`\`bash153export API_TOKEN="your-token-here"154export API_SECRET="your-secret-here"155\`\`\`156### Obtaining Tokens1581. Visit https://api.example.com/tokens1602. Create a new API token1613. Copy the token and secret1624. Set environment variables as shown above163### Token Permissions165The API token needs the following permissions:167- Read access to resources168- Write access for creating items169- Delete access (optional, for cleanup operations)170\`\`\`171```172## Environment Variable Authentication (stdio)174### Passing Credentials to Server176For stdio servers, pass credentials via environment variables:178```json180{181"database": {182"command": "python",183"args": ["-m", "mcp_server_db"],184"env": {185"DATABASE_URL": "${DATABASE_URL}",186"DB_USER": "${DB_USER}",187"DB_PASSWORD": "${DB_PASSWORD}"188}189}190}191```192### User Environment Variables194```bash196# User sets these in their shell197export DATABASE_URL="postgresql://localhost/mydb"198export DB_USER="myuser"199export DB_PASSWORD="mypassword"200```201### Documentation Template203```markdown205## Database Configuration206Set these environment variables:208\`\`\`bash210export DATABASE_URL="postgresql://host:port/database"211export DB_USER="username"212export DB_PASSWORD="password"213\`\`\`214Or create a `.env` file (add to `.gitignore`):216\`\`\`218DATABASE_URL=postgresql://localhost:5432/mydb219DB_USER=myuser220DB_PASSWORD=mypassword221\`\`\`222Load with: \`source .env\` or \`export $(cat .env | xargs)\`224\`\`\`225```226## Dynamic Headers228### Headers Helper Script230For tokens that change or expire, use a helper script:232```json234{235"api": {236"type": "sse",237"url": "https://api.example.com",238"headersHelper": "${CLAUDE_PLUGIN_ROOT}/scripts/get-headers.sh"239}240}241```242**Script (get-headers.sh):**244```bash245#!/bin/bash246# Generate dynamic authentication headers247# Fetch fresh token249TOKEN=$(get-fresh-token-from-somewhere)250# Output JSON headers252cat <<EOF253{254"Authorization": "Bearer $TOKEN",255"X-Timestamp": "$(date -Iseconds)"256}257EOF258```259### Use Cases for Dynamic Headers261- Short-lived tokens that need refresh263- Tokens with HMAC signatures264- Time-based authentication265- Dynamic tenant/workspace selection266## Security Best Practices268### DO270✅ **Use environment variables:**272```json273{274"headers": {275"Authorization": "Bearer ${API_TOKEN}"276}277}278```279✅ **Document required variables in README**281✅ **Use HTTPS/WSS always**283✅ **Implement token rotation**285✅ **Store tokens securely (env vars, not files)**287✅ **Let OAuth handle authentication when available**289### DON'T291❌ **Hardcode tokens:**293```json294{295"headers": {296"Authorization": "Bearer sk-abc123..." // NEVER!297}298}299```300❌ **Commit tokens to git**302❌ **Share tokens in documentation**304❌ **Use HTTP instead of HTTPS**306❌ **Store tokens in plugin files**308❌ **Log tokens or sensitive headers**310## Multi-Tenancy Patterns312### Workspace/Tenant Selection314**Via environment variable:**316```json317{318"api": {319"type": "http",320"url": "https://api.example.com/mcp",321"headers": {322"Authorization": "Bearer ${API_TOKEN}",323"X-Workspace-ID": "${WORKSPACE_ID}"324}325}326}327```328**Via URL:**330```json331{332"api": {333"type": "http",334"url": "https://${TENANT_ID}.api.example.com/mcp"335}336}337```338### Per-User Configuration340Users set their own workspace:342```bash344export WORKSPACE_ID="my-workspace-123"345export TENANT_ID="my-company"346```347## Authentication Troubleshooting349### Common Issues351**401 Unauthorized:**353- Check token is set correctly354- Verify token hasn't expired355- Check token has required permissions356- Ensure header format is correct357**403 Forbidden:**359- Token valid but lacks permissions360- Check scope/permissions361- Verify workspace/tenant ID362- May need admin approval363**Token not found:**365```bash366# Check environment variable is set367echo $API_TOKEN368# If empty, set it370export API_TOKEN="your-token"371```372**Token in wrong format:**374```json375// Correct376"Authorization": "Bearer sk-abc123"377// Wrong379"Authorization": "sk-abc123"380```381### Debugging Authentication383**Enable debug mode:**385```bash386claude --debug387```388Look for:390- Authentication header values (sanitized)391- OAuth flow progress392- Token refresh attempts393- Authentication errors394**Test authentication separately:**396```bash397# Test HTTP endpoint398curl -H "Authorization: Bearer $API_TOKEN" \399https://api.example.com/mcp/health400# Should return 200 OK402```403## Migration Patterns405### From Hardcoded to Environment Variables407**Before:**409```json410{411"headers": {412"Authorization": "Bearer sk-hardcoded-token"413}414}415```416**After:**418```json419{420"headers": {421"Authorization": "Bearer ${API_TOKEN}"422}423}424```425**Migration steps:**4271. Add environment variable to plugin README4282. Update configuration to use ${VAR}4293. Test with variable set4304. Remove hardcoded value4315. Commit changes432### From Basic Auth to OAuth434**Before:**436```json437{438"headers": {439"Authorization": "Basic ${BASE64_CREDENTIALS}"440}441}442```443**After:**445```json446{447"type": "sse",448"url": "https://mcp.example.com/sse"449}450```451**Benefits:**453- Better security454- No credential management455- Automatic token refresh456- Scoped permissions457## Advanced Authentication459### Mutual TLS (mTLS)461Some enterprise services require client certificates.463**Not directly supported in MCP configuration.**465**Workaround:** Wrap in stdio server that handles mTLS:467```json469{470"secure-api": {471"command": "${CLAUDE_PLUGIN_ROOT}/servers/mtls-wrapper",472"args": ["--cert", "${CLIENT_CERT}", "--key", "${CLIENT_KEY}"],473"env": {474"API_URL": "https://secure.example.com"475}476}477}478```479### JWT Tokens481Generate JWT tokens dynamically with headers helper:483```bash485#!/bin/bash486# generate-jwt.sh487# Generate JWT (using library or API call)489JWT=$(generate-jwt-token)490echo "{\"Authorization\": \"Bearer $JWT\"}"492```493```json495{496"headersHelper": "${CLAUDE_PLUGIN_ROOT}/scripts/generate-jwt.sh"497}498```499### HMAC Signatures501For APIs requiring request signing:503```bash505#!/bin/bash506# generate-hmac.sh507TIMESTAMP=$(date -Iseconds)509SIGNATURE=$(echo -n "$TIMESTAMP" | openssl dgst -sha256 -hmac "$SECRET_KEY" | cut -d' ' -f2)510cat <<EOF512{513"X-Timestamp": "$TIMESTAMP",514"X-Signature": "$SIGNATURE",515"X-API-Key": "$API_KEY"516}517EOF518```519## Best Practices Summary521### For Plugin Developers5231. **Prefer OAuth** when service supports it5252. **Use environment variables** for tokens5263. **Document all required variables** in README5274. **Provide setup instructions** with examples5285. **Never commit credentials**5296. **Use HTTPS/WSS only**5307. **Test authentication thoroughly**531### For Plugin Users5331. **Set environment variables** before using plugin5352. **Keep tokens secure** and private5363. **Rotate tokens regularly**5374. **Use different tokens** for dev/prod5385. **Don't commit .env files** to git5396. **Review OAuth scopes** before authorizing540## Conclusion542Choose the authentication method that matches your MCP server's requirements:544- **OAuth** for cloud services (easiest for users)545- **Bearer tokens** for API services546- **Environment variables** for stdio servers547- **Dynamic headers** for complex auth flows548Always prioritize security and provide clear setup documentation for users.550