mcp-use - The fullstack MCP framework to develop MCP Apps for ChatGPT / Claude and MCP Servers for AI Agents.

Auth0 supports two integration modes depending on whether you have access to Auth0’s Dynamic Client Registration (DCR) feature.

DCR (Built-in)
OAuth Proxy

Auth0’s built-in DCR feature is currently in Early Access. MCP clients register and authenticate directly with Auth0

To use the built-in Auth0 provider, you need to join Auth0’s Early Access program. See the Auth0 MCP Authorization Guide for details on how to get access.

Auth0 Setup

1. Configure your tenant

In the Auth0 Dashboard:

Go to Settings → Advanced and enable Resource Parameter Compatibility Profile

Promote connections to domain-level so third-party clients (like MCP Inspector) can use them:

# List connections to get their IDs
auth0 api get connections

# Promote a connection (e.g. username-password database)
auth0 api patch connections/YOUR_CONNECTION_ID --data '{"is_domain_connection": true}'

2. Create an API

auth0 api post resource-servers --data '{
  "identifier": "https://your-api.example.com",
  "name": "MCP Tools API",
  "signing_alg": "RS256",
  "token_dialect": "rfc9068_profile_authz",
  "enforce_policies": true,
  "scopes": [
    {"value": "read:data", "description": "Read data"}
  ]
}'

The rfc9068_profile_authz token dialect includes the permissions claim in access tokens, enabling scope-based access control.

3. Environment variables

MCP_USE_OAUTH_AUTH0_DOMAIN=your-tenant.auth0.com
MCP_USE_OAUTH_AUTH0_AUDIENCE=https://your-api.example.com

Configuration

import { MCPServer, oauthAuth0Provider } from 'mcp-use/server'

// Zero-config: reads MCP_USE_OAUTH_AUTH0_DOMAIN and MCP_USE_OAUTH_AUTH0_AUDIENCE
const server = new MCPServer({
  name: 'my-server',
  version: '1.0.0',
  oauth: oauthAuth0Provider()
})

await server.listen(3000)

Or pass config explicitly:

oauth: oauthAuth0Provider({
  domain: 'your-tenant.auth0.com',
  audience: 'https://your-api.example.com',

  // Disable JWT verification during development only
  verifyJwt: process.env.NODE_ENV === 'production',

  // Override advertised scopes
  scopesSupported: ['openid', 'profile', 'email', 'offline_access'],
})

Use oauthProxy with a standard Auth0 Regular Web Application - no Early Access required. Your server mediates the token exchange using pre-registered credentials.

Auth0 Setup

1. Create a Regular Web Application

In the Auth0 Dashboard:

Go to Applications → Create Application
Choose Regular Web Application
Under Allowed Callback URLs, add your MCP client’s redirect URI:
```
http://localhost:3000/inspector/oauth/callback
```
Copy the Client ID and Client Secret

2. Create an API

This gives you JWT access tokens (required - opaque tokens can’t be verified locally):

Go to APIs → Create API
Set an identifier, e.g. https://my-mcp-api/
Leave signing algorithm as RS256

3. Environment variables

AUTH0_DOMAIN=your-tenant.us.auth0.com
AUTH0_CLIENT_ID=<from Regular Web App>
AUTH0_CLIENT_SECRET=<from Regular Web App>
AUTH0_AUDIENCE=https://my-mcp-api/

Configuration

import { MCPServer, oauthProxy, jwksVerifier } from 'mcp-use/server'

const domain = process.env.AUTH0_DOMAIN!
const audience = process.env.AUTH0_AUDIENCE ?? ''

const server = new MCPServer({
  name: 'my-server',
  version: '1.0.0',
  oauth: oauthProxy({
    authEndpoint: `https://${domain}/authorize`,
    tokenEndpoint: `https://${domain}/oauth/token`,
    issuer: `https://${domain}/`,
    clientId: process.env.AUTH0_CLIENT_ID!,
    clientSecret: process.env.AUTH0_CLIENT_SECRET,
    scopes: ['openid', 'email', 'profile'],
    extraAuthorizeParams: { audience },
    verifyToken: jwksVerifier({
      jwksUrl: `https://${domain}/.well-known/jwks.json`,
      issuer: `https://${domain}/`,
      audience,
    }),
  }),
})

await server.listen(3000)

The OAuth flow in proxy mode:

Client → /register         → receives pre-registered client_id
Client → /authorize        → MCP server redirects to Auth0 /authorize
Auth0  → redirect_uri      → returns authorization code to client
Client → /token            → MCP server injects credentials, forwards to Auth0
Auth0  → access_token (JWT)→ returned to client
Client → /mcp/...          → MCP server verifies JWT via Auth0 JWKS

Accessing user info in tools

server.tool(
  {
    name: 'get-user-info',
    description: 'Get authenticated user info',
  },
  async (_args, ctx) => ({
    userId: ctx.auth.user.userId,
    email: ctx.auth.user.email,
    name: ctx.auth.user.name,
    nickname: ctx.auth.user.nickname,
    picture: ctx.auth.user.picture,
    permissions: ctx.auth.permissions,
    scopes: ctx.auth.scopes,
  })
)

Permissions

Auth0 includes permissions directly in the access token when you use the rfc9068_profile_authz token dialect. Check them in tool callbacks:

server.tool(
  {
    name: 'delete-document',
    description: 'Delete a document (requires delete:documents)',
  },
  async ({ documentId }, ctx) => {
    if (!ctx.auth.permissions?.includes('delete:documents')) {
      return { content: [{ type: 'text', text: 'Forbidden: delete:documents permission required' }], isError: true }
    }

    await db.documents.delete({ id: documentId })
    return { content: [{ type: 'text', text: 'Document deleted' }] }
  }
)

Resources

Next Steps

User Context - Access user information in tools

​Auth0 Setup

​1. Configure your tenant

​2. Create an API

​3. Environment variables

​Configuration

​Auth0 Setup

​1. Create a Regular Web Application

​2. Create an API

​3. Environment variables

​Configuration

​Accessing user info in tools

​Permissions

​Resources

​Next Steps

Auth0 Setup

1. Configure your tenant

2. Create an API

3. Environment variables

Configuration

Auth0 Setup

1. Create a Regular Web Application

2. Create an API

3. Environment variables

Configuration

Accessing user info in tools

Permissions

Resources

Next Steps