Skip to main content

Overview

import { AuthRegistry } from '@frontmcp/sdk';

// Access via scope
const auth = scope.authProviders;

// Get primary auth provider
const primary = auth.getPrimary();

// Get all auth providers
const providers = auth.getAuthProviders();

Methods

getPrimary()

Get the primary auth provider. 
getPrimary(): FrontMcpAuth
Example: 
const auth = registry.getPrimary();

// Check if user is authenticated
const isAuth = await auth.isAuthenticated(request);

// Get current user
const user = await auth.getUser(request);

getAuthProviders()

Get all auth provider entries. 
getAuthProviders(): ReadonlyArray<AuthProviderEntry>
Example: 
const providers = registry.getAuthProviders();
for (const provider of providers) {
  console.log(`Provider: ${provider.name} (${provider.mode})`);
}

Auth Modes

FrontMCP supports multiple authentication modes:

Public

No authentication required

Transparent

Auth handled externally

Orchestrated

Full auth flow management

Public Mode

No authentication required: 
@FrontMcp({
  name: 'public-server',
  auth: { mode: 'public' },
})
class PublicServer { }

Transparent Mode

Auth is handled by an external system (e.g., API gateway): 
@FrontMcp({
  name: 'transparent-server',
  auth: {
    mode: 'transparent',
    headerName: 'X-User-Id',
  },
})
class TransparentServer { }

Orchestrated Mode

Full auth flow with OAuth support: 
@FrontMcp({
  name: 'orchestrated-server',
  auth: {
    mode: 'orchestrated',
    providers: ['google', 'github'],
    sessionStore: 'redis',
  },
})
class OrchestratedServer { }

Properties

primary

The primary auth provider instance (FrontMcpAuth).

parsedOptions

The parsed authentication configuration.

requiresOrchestration

Whether the current configuration requires orchestration. 
if (registry.requiresOrchestration) {
  // Setup OAuth callbacks, session management, etc.
}

detection

Auth provider detection result across apps in scope. 
interface AuthProviderDetectionResult {
  hasAuth: boolean;
  modes: AuthMode[];
  providers: string[];
}

Auth Provider Detection

The registry detects auth requirements across the scope hierarchy: 
// Check detection result
const detection = registry.detection;

if (detection.hasAuth) {
  console.log(`Modes: ${detection.modes.join(', ')}`);
  console.log(`Providers: ${detection.providers.join(', ')}`);
}

Context Extensions

Orchestrated auth installs context extensions: 
@Tool({ name: 'protected_tool', inputSchema: {} })
class ProtectedTool extends ToolContext {
  async execute() {
    // Auth context extension
    const user = this.auth.getUser();
    const token = this.auth.getAccessToken();
  }
}

Configuration Validation

The registry validates auth configuration: 
// Invalid configuration throws
@FrontMcp({
  auth: {
    mode: 'orchestrated',
    providers: [], // Error: No providers specified
  },
})
class InvalidServer { }

FrontMcpAuth API

The primary auth provider exposes: 
interface FrontMcpAuth {
  // Check authentication
  isAuthenticated(request: Request): Promise<boolean>;

  // Get user info
  getUser(request: Request): Promise<User | null>;

  // Get access token
  getAccessToken(request: Request): Promise<string | null>;

  // Handle OAuth callback
  handleCallback(request: Request): Promise<AuthResult>;

  // Logout
  logout(request: Request): Promise<void>;
}

Session Integration

Auth integrates with session management: 
@FrontMcp({
  auth: {
    mode: 'orchestrated',
    sessionStore: {
      provider: 'redis',
      host: 'localhost',
      keyPrefix: 'auth:session:',
    },
  },
})
class SecureServer { }

Multi-App Auth

When multiple apps have different auth requirements: 
@FrontMcp({
  name: 'server',
  apps: [PublicApp, ProtectedApp],
})
class MultiAuthServer { }

// The registry detects mixed auth modes
const detection = scope.authProviders.detection;
// detection.modes = ['public', 'orchestrated']