oauth-callback
Provides a lightweight OAuth 2.0 authorization-code callback handler by spinning up a temporary localhost HTTP server to receive the redirect, returning the authorization code (and state/extra query params). Also includes an MCP (Model Context Protocol) SDK integration via a browserAuth provider with configurable token storage (in-memory or file-based) and support for dynamic client registration.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Design goal is a localhost-only temporary callback server and claims of no credential logging. OAuthError encapsulation suggests OAuth error details are surfaced but tokens/codes are reportedly not logged. Security depends on correct state handling, token store implementation/permissions (especially fileStore()), and ensuring localhost-only binding is correctly enforced at runtime.
⚡ Reliability
Best When
You need an easy, local-only redirect handler for OAuth authorization-code flows (especially for CLI/desktop), optionally integrated as an MCP OAuth provider.
Avoid When
You cannot bind to localhost or where your environment blocks opening local loopback ports; also avoid for security-sensitive deployments without reviewing token file permissions and threat model.
Use Cases
- • CLI tools needing an interactive OAuth authorization code flow with a local redirect URI
- • Desktop/local apps capturing OAuth callbacks on localhost
- • Development environments and demos that need a quick OAuth code capture utility
- • MCP-based apps needing an MCP-compatible OAuth provider for browser flows
- • OAuth flows requiring PKCE compatibility via authorization server behavior
Not For
- • Server-side web apps needing hosted callback endpoints (it is designed for localhost capture)
- • Highly concurrent production OAuth callback handling for multi-tenant servers
- • Use cases where strong token storage/rotation, secure enclave, or HSM-backed secrets are required by policy
Interface
Authentication
Authentication is OAuth2 authorization-code based via a user’s browser redirect to a local callback URL. For MCP browserAuth, the library can accept clientId/clientSecret or perform Dynamic Client Registration (DCR) per README.
Pricing
Package is a library; no direct pricing info in provided content.
Agent Metadata
Known Gotchas
- ⚠ Ensure redirect_uri matches the localhost callback URL (port/hostname/path) configured in getAuthCode and the OAuth provider.
- ⚠ If using default port 3000, handle port-in-use conflicts by configuring port/hostname.
- ⚠ When using fileStore(), token files may persist across runs; be mindful of permissions and namespace (storeKey).
- ⚠ OAuth providers may require PKCE/state; pass/validate state to prevent CSRF as recommended by README (implementation details not fully shown here).
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for oauth-callback.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.