MCP

The MCP plugin issues JWT access tokens with OAuth Resource Indicator semantics. It uses the OAuth client registry for client lookup and the JWT plugin signing keys for token issuance.

Installation

uv add kernia authlib

Import path

from kernia.plugins.jwt import jwt
from kernia.plugins.mcp import MCPOptions, mcp

Server configuration

auth.py

import os

from kernia import KerniaOptions
from kernia.auth import init
from kernia.plugins.jwt import jwt
from kernia.plugins.mcp import MCPOptions, mcp

from .db import adapter

auth = init(KerniaOptions(
    database=adapter,
    secret=os.environ["KERNIA_SECRET"],
    base_url=os.environ["KERNIA_BASE_URL"],
    base_path="/api/auth",
    plugins=(
        jwt(),
        mcp(MCPOptions(issuer=os.environ["KERNIA_BASE_URL"])),
    ),
))

API routes

POST/api/auth/mcp/authorize

Issues a bearer token for a client, scope string, and optional resource audience.

GET/api/auth/.well-known/oauth-authorization-server

Returns MCP/OAuth discovery metadata including issuer, token endpoint, JWKS URI, scopes, and resource-indicator support.

Schema impact

No MCP-specific table. It reads OAuth clients and uses JWT signing keys.

Behavior and options

MCPOptions.issuer should match the public auth base URL.
Tokens include sub, iss, aud, client_id, scope, jti, and optional resource.
Downstream MCP servers should verify the token and expected resource with introspect_mcp_token.