MCP OAuth Server — Next.js PoC

A fully stateless Model Context Protocol server protected by OAuth 2.0 with Dynamic Client Registration and PKCE. No database, no in-memory state — every artifact (client_id, authorization code, access token) is a self-contained HMAC-signed token.

Connect from Claude Code

claude mcp add --transport http mcp-oauth https://mcp-oauth-server-next.vercel.app/api/mcp

Claude Code performs the discovery → registration → authorize → token flow automatically. Sign in with demo / demo when the browser opens.

Endpoints

• https://mcp-oauth-server-next.vercel.app/.well-known/oauth-protected-resource
• https://mcp-oauth-server-next.vercel.app/.well-known/oauth-authorization-server
• https://mcp-oauth-server-next.vercel.app/api/oauth/register — DCR
• https://mcp-oauth-server-next.vercel.app/api/oauth/authorize — login & consent
• https://mcp-oauth-server-next.vercel.app/api/oauth/token — token exchange
• https://mcp-oauth-server-next.vercel.app/api/mcp — MCP (Bearer required)

Proof of concept only. The signing secret and credentials are public and hardcoded.