FrontMCP ships a built‑in OAuth provider for first‑party scenarios for development.
Configuration
auth: {
type: 'local',
id: 'local',
name: 'Local Auth',
scopes?: string[],
grantTypes?: ('authorization_code' | 'refresh_token')[],
allowAnonymous?: boolean, // default true
consent?: boolean,
jwks?: JSONWebKeySet, // inline JWKS (optional)
signKey?: JWK | Uint8Array // private key (optional; auto‑generated if omitted)
}
Example (per app, split‑by‑app server)
@FrontMcp({
info: { name: 'Workspace', version: '1.0.0' },
auth: { type: 'local' },
apps: [DocsApp, MailApp],
splitByApp: true,
})
export default class Server {}
@App({
name: 'Docs',
})
export default class DocsApp {}
When using splitByApp: true, define auth per app; server‑level auth is not allowed.
Keys & JWKS
- Omit
signKey to auto‑generate keys (exposed via the local JWKS endpoint).
- Provide
jwks or signKey to pin keys for stable environments.
