Skip to main content
FrontMCP implements a flexible three-tier authentication system designed for both development simplicity and production security.

Authentication Modes

FrontMCP supports three authentication modes, each designed for different deployment scenarios:

Public Mode

No authentication required. Anonymous sessions are auto-generated for all requests.Best for: Development, testing, public APIs

Transparent Mode

Pass-through tokens from external identity providers. FrontMCP validates tokens against upstream JWKS.Best for: Existing Auth0, Okta, Azure AD integrations

Orchestrated Mode

Full OAuth 2.1 authorization server. Can be self-contained (local) or proxy to upstream IdP (remote).Best for: Multi-app scenarios, federated auth, progressive authorization

Quick Mode Selection

ScenarioRecommended ModeWhy
Local developmentpublicNo setup required
Existing IdP (Auth0, Okta)transparentDirect token pass-through
Multi-provider federationorchestrated (remote)Unified session, multiple IdPs
Self-contained authorchestrated (local)Full control, built-in OAuth server

Configuration Levels

Authentication can be configured at two levels:
Apply the same auth configuration to all apps:
@FrontMcp({
  info: { name: 'MyServer', version: '1.0.0' },
  apps: [BillingApp, AnalyticsApp],
  auth: {
    mode: 'orchestrated',
    type: 'local',
    consent: { enabled: true },
  },
})
export class Server {}
When using splitByApp: true, you must configure auth per app. Server-level auth is not allowed.

OAuth 2.1 Compliance

FrontMCP’s orchestrated mode is fully OAuth 2.1 compliant:
PKCE Required - Only S256 code challenge method supported
Authorization Code Flow - No implicit or password grants
Refresh Token Rotation - Tokens rotate on each use
JWT Access Tokens - Signed with RS256 or ES256

Session Management

Sessions determine how tokens are stored and managed:
Session ModeToken StorageRefreshMulti-Instance
StatefulServer-side (Redis/memory)Silent refreshRequires shared storage
StatelessEmbedded in JWTClient must re-authWorks anywhere
Use stateful sessions when working with short-lived upstream tokens. You’ll get automatic refresh without client round-trips.
auth: {
  mode: 'orchestrated',
  type: 'local',
  sessionMode: 'stateful', // or 'stateless'
  tokenStorage: {
    type: 'redis',
    config: { host: 'localhost', port: 6379 },
  },
}

Discovery Endpoints

FrontMCP exposes standard OAuth discovery endpoints:
EndpointDescription
/.well-known/oauth-authorization-serverOAuth 2.0 Authorization Server Metadata (RFC 8414)
/.well-known/jwks.jsonJSON Web Key Set for token verification (RFC 7517)
/.well-known/oauth-protected-resourceProtected Resource Metadata

Next Steps

Authorization Modes

Deep dive into public, transparent, and orchestrated modes

Token & Sessions

Configure token lifetimes and session management

Remote OAuth

Connect to external identity providers

Production Checklist

Security requirements for production deployments