Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.agentfront.dev/llms.txt

Use this file to discover all available pages before exploring further.

Overview

import { AuthRegistry } from '@frontmcp/sdk';

// Access via scope
const auth = scope.authProviders;

// Get primary auth provider
const primary = auth.getPrimary();

// Get all auth providers
const providers = auth.getAuthProviders();

Methods

getPrimary()

Get the primary auth provider. 
getPrimary(): FrontMcpAuth
Example: 
const auth = registry.getPrimary();

// Check if user is authenticated
const isAuth = await auth.isAuthenticated(request);

// Get current user
const user = await auth.getUser(request);

getAuthProviders()

Get all auth provider entries. 
getAuthProviders(): ReadonlyArray<AuthProviderEntry>
Example: 
const providers = registry.getAuthProviders();
for (const provider of providers) {
  console.log(`Provider: ${provider.name} (${provider.mode})`);
}

Auth Modes

FrontMCP supports multiple authentication modes:

Public

No authentication required

Transparent

Auth handled externally

Orchestrated

Full auth flow management

Public Mode

No authentication required: 
@FrontMcp({
  name: 'public-server',
  auth: { mode: 'public' },
})
class PublicServer { }

Transparent Mode

Auth is handled by an external system (e.g., API gateway): 
@FrontMcp({
  name: 'transparent-server',
  auth: {
    mode: 'transparent',
    headerName: 'X-User-Id',
  },
})
class TransparentServer { }

Orchestrated Mode

Full auth flow with OAuth support: 
@FrontMcp({
  name: 'orchestrated-server',
  auth: {
    mode: 'local',
    providers: ['google', 'github'],
    sessionStore: 'redis',
  },
})
class OrchestratedServer { }

Properties

primary

The primary auth provider instance (FrontMcpAuth).

parsedOptions

The parsed authentication configuration.

requiresOrchestration

Whether the current configuration requires orchestration. 
if (registry.requiresOrchestration) {
  // Setup OAuth callbacks, session management, etc.
}

detection

Auth provider detection result across apps in scope. 
interface AuthProviderDetectionResult {
  hasAuth: boolean;
  modes: AuthMode[];
  providers: string[];
}

Auth Provider Detection

The registry detects auth requirements across the scope hierarchy: 
// Check detection result
const detection = registry.detection;

if (detection.hasAuth) {
  console.log(`Modes: ${detection.modes.join(', ')}`);
  console.log(`Providers: ${detection.providers.join(', ')}`);
}

Context Extensions

Orchestrated auth installs context extensions: 
@Tool({ name: 'protected_tool', inputSchema: {} })
class ProtectedTool extends ToolContext {
  async execute() {
    // Auth context extension
    const user = this.auth.getUser();
    const token = this.auth.getAccessToken();
  }
}

Configuration Validation

The registry validates auth configuration: 
// Invalid configuration throws
@FrontMcp({
  auth: {
    mode: 'local',
    providers: [], // Error: No providers specified
  },
})
class InvalidServer { }

FrontMcpAuth API

The primary auth provider exposes: 
interface FrontMcpAuth {
  // Check authentication
  isAuthenticated(request: Request): Promise<boolean>;

  // Get user info
  getUser(request: Request): Promise<User | null>;

  // Get access token
  getAccessToken(request: Request): Promise<string | null>;

  // Handle OAuth callback
  handleCallback(request: Request): Promise<AuthResult>;

  // Logout
  logout(request: Request): Promise<void>;
}

Session Integration

Auth integrates with session management: 
@FrontMcp({
  auth: {
    mode: 'local',
    sessionStore: {
      provider: 'redis',
      host: 'localhost',
      keyPrefix: 'auth:session:',
    },
  },
})
class SecureServer { }

Multi-App Auth

When multiple apps have different auth requirements: 
@FrontMcp({
  name: 'server',
  apps: [PublicApp, ProtectedApp],
})
class MultiAuthServer { }

// The registry detects mixed auth modes
const detection = scope.authProviders.detection;
// detection.modes = ['public', 'orchestrated']

FrontMcpAuthContext

The FrontMcpAuthContext is a request-scoped auth identity object available inside tool, resource, and prompt execution. It provides role, permission, and scope checks extracted from JWT claims. 
import type { FrontMcpAuthContext } from '@frontmcp/auth';

Properties

PropertyTypeDescription
userFrontMcpAuthUserResolved user identity (sub, name, email, picture)
isAnonymousbooleanTrue when sub starts with anon: or is empty
modestringAuthentication mode (public, transparent, orchestrated)
sessionIdstringSession identifier (empty string if no session)
scopesreadonly string[]OAuth scopes granted to this session
claimsReadonly<Record<string, unknown>>Raw JWT claims
rolesreadonly string[]Resolved roles (via claimsMapping or direct extraction)
permissionsreadonly string[]Resolved permissions (via claimsMapping or direct)

Methods

MethodSignatureDescription
hasRole(role: string) => booleanCheck if user has a specific role
hasAllRoles(roles: readonly string[]) => booleanCheck if user has ALL specified roles
hasAnyRole(roles: readonly string[]) => booleanCheck if user has at least one role
hasPermission(permission: string) => booleanCheck if user has a specific permission
hasAllPermissions(permissions: readonly string[]) => booleanCheck if user has ALL specified permissions
hasAnyPermission(permissions: readonly string[]) => booleanCheck if user has at least one permission
hasScope(scope: string) => booleanCheck if session has a specific OAuth scope
hasAllScopes(scopes: readonly string[]) => booleanCheck if session has ALL specified scopes
hasAnyScope(scopes: readonly string[]) => booleanCheck if session has at least one scope

Extension

Add custom typed fields via global interface augmentation: 
declare global {
  interface ExtendFrontMcpAuthContext {
    tenantId: string;
    orgName: string;
  }
}
Custom fields are populated by AuthContextPipe functions registered in your server config.
FrontMcpAuthContext vs Authorization: FrontMcpAuthContext is request-scoped and provides roles, permissions, and scopes from JWT claims. The Authorization interface is transport-scoped and tracks authorized tools, prompts, apps, and provider tokens. Use FrontMcpAuthContext for role/permission checks; use Authorization for tool/app access control.