mcp-oauth-gateway

mcp-oauth-gateway is an experimental OAuth 2.1 authorization layer for MCP servers. It fronts MCP endpoints with an OAuth authorization server (GitHub as IdP) and supports dynamic client registration, user login (web/device flows), token issuance (JWT/refresh), and forwarding/authentication for MCP HTTP transport, without modifying the upstream MCP server code (wrapping/bridging for HTTP transport is used).

Evaluated Mar 30, 2026 (21d ago)
Homepage ↗ Repo ↗ Infrastructure mcp oauth2 authorization-server oauth2-1 github-oauth reverse-proxy openid-connect-adjacent python reference-implementation
⚙ Agent Friendliness
36
/ 100
Can an agent use this?
🔒 Security
64
/ 100
Is it safe for agents?
⚡ Reliability
24
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
40
Documentation
45
Error Messages
0
Auth Simplicity
25
Rate Limits
10

🔒 Security

TLS Enforcement
95
Auth Strength
80
Scope Granularity
45
Dep. Hygiene
30
Secret Handling
60

README claims HTTPS everywhere, PKCE mandatory, GitHub OAuth, JWT bearer tokens, secure session management, and ALLOWED_GITHUB_USERS whitelist. It also explicitly warns the implementation is experimental and may contain bugs/vulnerabilities and is not recommended for production without security review. Dependency hygiene and concrete secret-handling/logging behavior cannot be verified from the provided text; Redis is exposed on localhost only for debugging, but operational security depends on configuration. Scope granularity is not clearly evidenced in the supplied content.

⚡ Reliability

Uptime/SLA
0
Version Stability
35
Breaking Changes
30
Error Recovery
30
AF Security Reliability

Best When

You want a reference/test platform to integrate OAuth 2.1 + GitHub identity with MCP endpoints while keeping upstream MCP servers unmodified.

Avoid When

You need a turnkey, well-audited production gateway with guaranteed stability, rigorous error semantics, and published operational guarantees.

Use Cases

  • Add OAuth-based user authentication and client registration to existing MCP servers
  • Provide a secure token-gated MCP HTTP/SSE endpoint for web/IDE clients
  • Enable multi-client MCP access with per-client redirect URI registration (RFC 7591/7592)
  • Prototype and test MCP authentication/authorization flows using GitHub login

Not For

  • Production use without thorough security review (explicitly warned in README)
  • Environments requiring strict compliance assurances or certified security properties
  • Use cases where a simpler authentication proxy is sufficient
  • Workflows that cannot accommodate OAuth redirect/callback or device flow UX

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
No
Webhooks
No

Authentication

Methods: OAuth 2.1 Authorization Server endpoints Dynamic client registration (RFC 7591/7592) GitHub OAuth for user authentication Device flow (RFC 8628) for non-browser scenarios (per README) JWT bearer access tokens for MCP endpoint access Opaque refresh tokens for token refresh Registration access token for client management endpoints
OAuth: Yes Scopes: No

Auth complexity is high because the gateway includes multiple OAuth flows (registration, authorize/callback, token, revoke/introspect) plus device/web flows and requires client credentials at the token endpoint; token and session state are managed via Redis.

Pricing

Free tier: No
Requires CC: No

No pricing information is provided in the supplied data (appears to be a self-hosted open-source/reference implementation).

Agent Metadata

Pagination
none
Idempotent
False
Retry Guidance
Not documented

Known Gotchas

  • Complex OAuth lifecycle (register → authorize → callback → token → refresh/revoke) increases agent orchestration complexity.
  • State management depends on Redis TTL/keys; misconfiguration may cause hard-to-debug authorization failures.
  • Because this is explicitly labeled experimental with possible vulnerabilities, behaviors and edge-case error formats may not be fully standardized.

Alternatives

Directly run MCP behind your existing auth gateway (e.g., reverse proxy with OIDC) Use a standard OAuth/OIDC reverse proxy (e.g., oauth2-proxy + your IdP) in front of MCP HTTP endpoints Implement OAuth/OIDC at the client side (not typical for server-side MCP) and use simpler network-level protections Build a minimal wrapper that validates JWTs and forwards to MCP (custom, but smaller surface area)

Full Evaluation Report

Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for mcp-oauth-gateway.

AI-powered analysis · PDF + markdown · Delivered within 30 minutes

$99

Package Brief

Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.

Delivered within 10 minutes

$3

Score Monitoring

Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.

Continuous monitoring

$3/mo
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-30.

8642
Packages Evaluated
17761
Need Evaluation
586
Need Re-evaluation
Community Powered