Minibridge provides OAuth 2.0 integration for MCP servers requiring authentication. The OAuth implementation varies based on the frontend configuration. Note that OAuth support is not available when the MCP server uses stdio on the backend.

OAuth works in the following scenarios:

• Frontend: HTTP with Backend: HTTP
• Frontend: Stdio with Backend: HTTP

When using an HTTP frontend, the OAuth flow works as follows:

1. If the MCP server returns a 401 (Unauthorized) error, Minibridge forwards this error to the client.

2. The client can then initiate the OAuth authentication process by accessing the OAuth endpoints exposed by the Minibridge frontend:

   • /register
   • /authorize
   • /token
   • /.well-known/oauth-authorization-server

3. Minibridge forwards these requests to the backend, which then forwards them to the MCP server.

In this configuration, the client application is responsible for handling the complete OAuth authentication flow.

When using a Stdio frontend, Minibridge manages the OAuth process automatically:

1. Minibridge registers a client using the /register endpoint
2. It opens the user's browser to access the /authorize endpoint
3. After user authorization, it obtains a token from the /token endpoint
4. This token is then sent to the backend, which forwards it to the MCP server via the Authorization header

Authentication tokens obtained through the OAuth process are securely stored in the operating system's keychain for future use. Tokens are stored using the MCP server as the key, allowing Minibridge to maintain separate tokens for multiple MCP servers simultaneously.