{"id":"kriasoft-oauth-callback","name":"oauth-callback","homepage":"https://kriasoft.com/oauth-callback/","repo_url":"https://github.com/kriasoft/oauth-callback","category":"auth","subcategories":[],"tags":["authentication","authorization","oauth","oauth2","authorization-code","pkce","localhost","cli","desktop-app","mcp","model-context-protocol","typescript","nodejs","deno","bun"],"what_it_does":"Provides a lightweight OAuth 2.0 authorization-code callback handler by spinning up a temporary localhost HTTP server to receive the redirect, returning the authorization code (and state/extra query params). Also includes an MCP (Model Context Protocol) SDK integration via a browserAuth provider with configurable token storage (in-memory or file-based) and support for dynamic client registration.","use_cases":["CLI tools needing an interactive OAuth authorization code flow with a local redirect URI","Desktop/local apps capturing OAuth callbacks on localhost","Development environments and demos that need a quick OAuth code capture utility","MCP-based apps needing an MCP-compatible OAuth provider for browser flows","OAuth flows requiring PKCE compatibility via authorization server behavior"],"not_for":["Server-side web apps needing hosted callback endpoints (it is designed for localhost capture)","Highly concurrent production OAuth callback handling for multi-tenant servers","Use cases where strong token storage/rotation, secure enclave, or HSM-backed secrets are required by policy"],"best_when":"You need an easy, local-only redirect handler for OAuth authorization-code flows (especially for CLI/desktop), optionally integrated as an MCP OAuth provider.","avoid_when":"You cannot bind to localhost or where your environment blocks opening local loopback ports; also avoid for security-sensitive deployments without reviewing token file permissions and threat model.","alternatives":["node-oauth2 (authorization-code flows; more manual callback handling)","openid-client (robust OAuth/OIDC client but more setup)","simple-oauth2 (various grant flows; local callback capture not as turnkey)","oauth2-server or custom Express/Koa callback endpoints","MCP SDK examples for auth providers (roll your own if this package doesn’t fit)"],"af_score":64.2,"security_score":70.5,"reliability_score":41.2,"package_type":"mcp_server","discovery_source":["github"],"priority":"high","status":"evaluated","version_evaluated":null,"last_evaluated":"2026-03-30T15:41:56.888769+00:00","interface":{"has_rest_api":false,"has_graphql":false,"has_grpc":false,"has_mcp_server":false,"mcp_server_url":null,"has_sdk":true,"sdk_languages":["TypeScript","JavaScript (TS-first)"],"openapi_spec_url":null,"webhooks":false},"auth":{"methods":["authorization-code redirect capture on localhost","OAuth error handling via OAuthError","MCP browserAuth OAuth provider (uses MCP SDK transports)"],"oauth":true,"scopes":true,"notes":"Authentication is OAuth2 authorization-code based via a user’s browser redirect to a local callback URL. For MCP browserAuth, the library can accept clientId/clientSecret or perform Dynamic Client Registration (DCR) per README."},"pricing":{"model":null,"free_tier_exists":false,"free_tier_limits":null,"paid_tiers":[],"requires_credit_card":false,"estimated_workload_costs":null,"notes":"Package is a library; no direct pricing info in provided content."},"requirements":{"requires_signup":false,"requires_credit_card":false,"domain_verification":false,"data_residency":[],"compliance":[],"min_contract":null},"agent_readiness":{"af_score":64.2,"security_score":70.5,"reliability_score":41.2,"mcp_server_quality":20.0,"documentation_accuracy":85.0,"error_message_quality":null,"error_message_notes":"README states OAuthError is thrown for OAuth provider errors and includes OAuth error code/description/uri fields; also mentions timeout/aborted errors, but does not show full error code taxonomy or examples for all failure modes.","auth_complexity":70.0,"rate_limit_clarity":0.0,"tls_enforcement":70.0,"auth_strength":80.0,"scope_granularity":60.0,"dependency_hygiene":50.0,"secret_handling":85.0,"security_notes":"Design goal is a localhost-only temporary callback server and claims of no credential logging. OAuthError encapsulation suggests OAuth error details are surfaced but tokens/codes are reportedly not logged. Security depends on correct state handling, token store implementation/permissions (especially fileStore()), and ensuring localhost-only binding is correctly enforced at runtime.","uptime_documented":0.0,"version_stability":55.0,"breaking_changes_history":50.0,"error_recovery":60.0,"idempotency_support":"false","idempotency_notes":"getAuthCode is inherently event-driven (waits for a single callback) and is not naturally idempotent across retries without careful handling of authorization server state and local server reuse.","pagination_style":"none","retry_guidance_documented":false,"known_agent_gotchas":["Ensure redirect_uri matches the localhost callback URL (port/hostname/path) configured in getAuthCode and the OAuth provider.","If using default port 3000, handle port-in-use conflicts by configuring port/hostname.","When using fileStore(), token files may persist across runs; be mindful of permissions and namespace (storeKey).","OAuth providers may require PKCE/state; pass/validate state to prevent CSRF as recommended by README (implementation details not fully shown here)."]}}