Auth Providers
Choose the right auth middleware for your use case:
| Scenario | Middleware | Transport |
|---|---|---|
| Manual login tool | guard() | stdio + HTTP |
| Form-based credentials | credentials() | stdio + HTTP |
| Pre-shared bearer token | bearer() | HTTP |
| JWT (e.g., from Auth0) | jwt() | HTTP |
| GitHub sign-in | github() | HTTP |
| Google sign-in | google() | HTTP |
| Custom OAuth provider | oauth() | HTTP |
stdio vs HTTP
stdio clients (Claude Desktop, Claude Code) communicate over stdin/stdout. They can display forms via elicitation but cannot open browser URLs. Use guard() or credentials().
HTTP clients send requests over the network. They support all auth strategies. Bearer tokens and JWTs are injected via the onRequest hook.
Quick Comparison
guard() | credentials() | bearer() | jwt() | github() | google() | |
|---|---|---|---|---|---|---|
| Peer deps | — | zod | — | jose | — | — |
| User interaction | Manual login tool | Elicitation form | None (header) | None (header) | Browser redirect | Browser redirect |
| Session key | Configurable | Configurable | "user" | "user" | "user" | "user" |
| Hides tools | Yes | Yes | Yes | Yes | Yes | Yes |
persistent | No | No | No | No | Yes | Yes |
oauth(), github(), and google() support persistent: true to store auth state in c.userStore so users don't need to re-authenticate on reconnection. See Store & Persistence.
What's Next
- Auth Flow Guide — patterns and sequence diagrams
- bearer() — token verification
- jwt() — JWT verification
- GitHub OAuth — GitHub sign-in
- Google OAuth — Google sign-in