MCP Authentication Demo
A template for building MCP servers with optional per-tool authentication using WorkOS AuthKit and Vercel MCP adapter.
README
MCP Authentication Demo: Vercel MCP Adapter + WorkOS AuthKit
A production-ready template for building authenticated MCP servers using the Vercel MCP adapter and WorkOS AuthKit. Clone this repo, add your tools, and deploy instantly to Vercel with enterprise authentication built-in.
What This Demo Shows
Core insight: Individual tools decide if they need authentication. No global auth requirements, no complex middleware.
The Pattern
// Without auth: pure business logic
server.tool("publicData", {}, async () => {
return getPublicData();
});
// With auth: same logic + one helper call
server.tool("userData", {}, async (args, extra) => {
const user = ensureUserAuthenticated(extra.authInfo); // ← Just add this line
return getUserData(user);
});
How It Works
- Wrap your handler with
experimental_withMcpAuth:
const authHandler = experimental_withMcpAuth(handler, verifyToken, {
required: false // ← Tools decide individually
});
- Verify tokens with direct WorkOS calls:
const verifyToken = async (req: Request, bearerToken?: string) => {
if (!bearerToken) return undefined; // Allow unauthenticated requests
const { payload } = await jwtVerify(bearerToken, JWKS); // WorkOS JWT
const user = await workos.userManagement.getUser(payload.sub); // WorkOS User API
return { token: bearerToken, clientId: user.id, extra: { user } };
};
- Tools get user context through our helper:
// lib/auth/helpers.ts
export const ensureUserAuthenticated = (authInfo: AuthInfo | undefined): User => {
if (!authInfo?.extra?.user) {
throw new Error('Authentication required for this tool');
}
return authInfo.extra.user; // WorkOS user object
};
That's it! Your MCP server now has enterprise authentication with zero global auth logic.
<details> <summary>See the complete implementation</summary>
// app/mcp/route.ts - Complete authenticated MCP server
import { createMcpHandler, experimental_withMcpAuth } from "@vercel/mcp-adapter";
import { jwtVerify } from "jose";
import { ensureUserAuthenticated, isAuthenticated } from "../../lib/auth/helpers";
// Clean MCP handler - tools decide auth individually
const handler = createMcpHandler((server) => {
// Public tool
server.tool("ping", {}, async (args, extra) => {
const authenticated = isAuthenticated(extra.authInfo);
return {
content: [{
type: "text",
text: authenticated ? "Hello authenticated user!" : "Hello world!"
}]
};
});
// Private tool - decides it needs auth
server.tool("getUserProfile", {}, async (args, extra) => {
const user = ensureUserAuthenticated(extra.authInfo); // Throws if not authenticated
return {
content: [{
type: "text",
text: `Profile: ${user.email} (${user.firstName} ${user.lastName})`
}]
};
});
});
// WorkOS token verification
const verifyToken = async (req: Request, bearerToken?: string) => {
if (!bearerToken) return undefined;
try {
const { payload } = await jwtVerify(bearerToken, JWKS);
const user = await workos.userManagement.getUser(payload.sub);
return { token: bearerToken, clientId: user.id, extra: { user, claims: payload } };
} catch (error) {
return undefined;
}
};
// Authenticated handler
const authHandler = experimental_withMcpAuth(handler, verifyToken, { required: false });
export { authHandler as GET, authHandler as POST };
</details>
Result: Enterprise authentication with SSO support, automatic user context in tools, and zero-config Vercel deployment.
Ready-to-Deploy Template
This isn't just a demo—it's a complete template you can build on:
- Replace the example tools in
lib/business/examples.tswith your own business logic - Add new authenticated tools using the same pattern shown above
- Test everything locally with the built-in web interface and testing tools
- Deploy to Vercel in one command with enterprise auth already configured
Built-in Testing Interface
The template includes a complete testing interface so you can verify your tools work correctly:
Test both public and authenticated tools directly from your browser, with automatic token management and clear response formatting.
Quick Start
1. Clone and Install
git clone https://github.com/workos/vercel-mcp-example.git
cd vercel-mcp-example
pnpm install
Note: We recommend using
pnpmas it handles React 19 peer dependency warnings gracefully. If using npm, add the--legacy-peer-depsflag.
2. Set Up WorkOS
- Create a WorkOS account (free)
- Create a new project
- Get your API Key and Client ID from the dashboard
- Add
http://localhost:3000/callbackas a redirect URI in AuthKit settings
3. Configure Environment
cp .env.example .env.local
Fill in your WorkOS credentials:
WORKOS_API_KEY=sk_test_your_api_key_here
WORKOS_CLIENT_ID=client_your_client_id_here
WORKOS_COOKIE_PASSWORD=your_32_character_secure_random_string
WORKOS_REDIRECT_URI=http://localhost:3000/callback
4. Start the Demo
npm run dev
Visit http://localhost:3000 to try the authenticated MCP server!
Testing the Demo
The template includes a complete web interface for testing your MCP tools:
- Test public tools - Try
pingwithout authentication - Login with WorkOS - Use the login button to authenticate
- Test authenticated tools - Try tools like
getUserProfilethat require user context
The interface handles token management automatically and displays responses in a clean, readable format. You can also test with any MCP client by configuring it to use your local server.
Architecture
graph LR
A[MCP Client] --> B[authHandler Wrapper]
B --> C[JWT Verification]
C --> D[MCP Server Tools]
B --> E[WorkOS API]
style B fill:#ec4899,stroke:#db2777,stroke-width:2px,color:#ffffff
style D fill:#f59e0b,stroke:#d97706,stroke-width:2px,color:#ffffff
Simple flow: Client → Auth wrapper → JWT verification → Tools decide if they need user context → WorkOS API (if needed).
Code Organization
This template follows a recommended structure for scalable MCP servers:
lib/
├── auth/
│ ├── helpers.ts # ensureUserAuthenticated, isAuthenticated
│ └── types.ts # User, WorkOSAuthInfo types
├── business/
│ ├── examples.ts # Example business logic (replace with yours)
│ └── database.ts # Database connection/queries
├── mcp/
│ ├── tools/
│ │ ├── public.ts # Public tools (ping, status)
│ │ └── examples.ts # Example authenticated tools
│ └── server.ts # Main MCP server setup
└── utils/
├── validation.ts # Zod schemas
└── errors.ts # Custom error classes
Key Files
app/mcp/route.ts- The main MCP server with authenticationlib/auth/helpers.ts- Authentication helper functionslib/business/examples.ts- Example business logic (replace with yours)lib/mcp/tools/- MCP tool definitions organized by categoryapp/components/TestingSection.tsx- Built-in testing interfacelib/with-authkit.ts- WorkOS AuthKit setup
Next Steps
- Explore the code - See how the authentication pattern works
- Build your tools - Replace
lib/business/examples.tswith your business logic - Test locally - Use the built-in testing interface to verify everything works
- Deploy to production - Run
vercel deploywith your environment variables - Add advanced features - Role-based access, organization filtering, etc.
Why This Stack?
- Vercel MCP adapter: Type-safe MCP development with zero-config deployment
- WorkOS AuthKit: Enterprise authentication (SSO, user management, compliance)
- Simple Pattern: Business logic stays clean, security is declarative
Perfect for building production AI tools that need real user authentication and enterprise features.
Contributing
We welcome contributions to this project! Here's how you can help:
Development Setup
- Fork the repository
- Clone your fork:
git clone https://github.com/YOUR_USERNAME/vercel-mcp-example.git - Install dependencies:
pnpm install(ornpm install --legacy-peer-deps) - Create a branch:
git checkout -b feature/your-feature-name - Make your changes and write tests
- Run the test suite:
pnpm run test - Run linting and formatting:
pnpm run lint && pnpm run prettier - Push to your fork and submit a pull request
Guidelines
- Write clear, concise commit messages
- Add tests for new functionality
- Ensure all tests pass before submitting
- Follow the existing code style and conventions
- Update documentation as needed
Reporting Issues
Please use the GitHub Issues page to report bugs or request features.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Questions? Check the WorkOS MCP docs or Vercel MCP adapter docs.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.