OAuthProxyConfig

authorizeEndpoint string authorizeEndpoint(): The proxy's own authorization endpoint (what it advertises to clients).
callbackUrl string callbackUrl(): The proxy's fixed upstream redirect URI (baseUrl + redirectPath), registered with the IdP.
consentEndpoint string consentEndpoint(): The proxy's own consent endpoint (the confused-deputy consent screen + approval action). Not advertised in OAuth metadata; used by the HTTP mount.
registrationEndpoint string registrationEndpoint(): The proxy's own DCR registration endpoint.
toResourceServer ResourceServerConfig toResourceServer(): Collapse this proxy config into the single auth object the transport accepts (StreamableHttpOptions.auth / mountMcp), so an OAuthProxy preset flows through the same one entry point as jwtResourceServer and the JWKS presets — no re-typing of resource/scopes. The validator is the configured tokenVerifier (fails closed when none is set); the proxy's own baseUrl is advertised as the sole authorization server (it fronts the upstream IdP), and resource/scopesSupported are mirrored.
tokenEndpoint string tokenEndpoint(): The proxy's own token endpoint.

Variables

baseUrl string baseUrl;: The proxy's own public base URL, including any mount path (e.g. https://mcp.example.com). Used to construct the proxy's fixed callback URL and as the issuer in the AS metadata it publishes.
consentPath string consentPath;: The path on the proxy at which the user-consent screen is served and the consent-approval action is handled (confused-deputy mitigation). A dynamically-registered client is not forwarded to the upstream until the user approves it here. Defaults to /consent.
redirectPath string redirectPath;: The path on the proxy at which the upstream redirects back after authorization. Combined with baseUrl to form the fixed upstream redirect URI. Defaults to /auth/callback.
resource string resource;: The RFC 8707 canonical resource identifier of the MCP server, advertised in the PRM document and forwarded to the upstream as the resource parameter so issued tokens are audience-bound to this server.
scopesSupported string[] scopesSupported;: The scopes advertised in the metadata documents the proxy publishes.
tokenEndpointAuthMethod TokenEndpointAuthMethod tokenEndpointAuthMethod;: How the proxy authenticates to the upstream token endpoint. Defaults to client_secret_post (credentials in the form body); set to client_secret_basic to send them via the HTTP Basic header.
tokenVerifier TokenValidator tokenVerifier;: Validates an upstream access token, mapping it to a TokenInfo. Plug in introspectionVerifier, jwtVerifier, or staticVerifier. Required to enforce auth on incoming MCP requests.
upstreamAuthorizationEndpoint string upstreamAuthorizationEndpoint;: The upstream IdP's authorization endpoint (e.g. https://github.com/login/oauth/authorize). Clients are redirected here.
upstreamClientId string upstreamClientId;: The fixed upstream client_id of the OAuth application pre-registered with the IdP. Handed to every MCP client at DCR time.
upstreamClientSecret string upstreamClientSecret;: The fixed upstream client_secret. May be empty for public PKCE clients.
upstreamTokenEndpoint string upstreamTokenEndpoint;: The upstream IdP's token endpoint (e.g. https://github.com/login/oauth/access_token). The proxy exchanges codes here using the fixed upstream credentials.