MCP.so
Sign In

Implementing OAuth for Streamable HTTP Server & Client without PKCE

@asibyl

About Implementing OAuth for Streamable HTTP Server & Client without PKCE

MCP Streamable HTTP Server with Device Flow OAuth

Basic information

Category

Developer Tools

Runtime

node

Transports

stdio

Publisher

asibyl

Config

Add this server to your MCP-compatible client using the configuration below.

{
  "mcpServers": {
    "streamable-http-server": {
      "command": "npx",
      "args": [
        "tsx",
        "server/index_streamable.ts"
      ],
      "env": {
        "GITHUB_CLIENT_ID": "",
        "GITHUB_CLIENT_SECRET": ""
      }
    }
  }
}

Tools

No tools detected

We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.

Overview

What is Implementing OAuth for Streamable HTTP Server & Client without PKCE?

A reference implementation that adds OAuth support to the Streamable HTTP Server and Client using the device authorization grant flow (device flow) instead of browser-based redirects. It integrates with GitHub as the OAuth provider and is intended for developers who need headless OAuth authentication for MCP (Model Context Protocol) servers.

How to use Implementing OAuth for Streamable HTTP Server & Client without PKCE?

Clone the repository, install dependencies with npm install, set the GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET environment variables from a GitHub OAuth App that has "Enable Device Flow" selected, then start the server with npx tsx server/index_streamable.ts and the client with npx tsx client/client.ts.

Key features of Implementing OAuth for Streamable HTTP Server & Client without PKCE

  • Streamable HTTP Server with OAuth device flow support
  • Streamable HTTP Client with headless OAuth support
  • Replaces browser-based OAuth with device code flow
  • No PKCE required due to device flow security
  • Uses GitHub as the OAuth provider

Use cases of Implementing OAuth for Streamable HTTP Server & Client without PKCE

  • Automating MCP server OAuth without an interactive browser
  • Running OAuth flows in headless environments or CI/CD
  • Testing Streamable HTTP OAuth without the MCP Inspector

FAQ from Implementing OAuth for Streamable HTTP Server & Client without PKCE

Why is PKCE not used?

Device flow does not require PKCE because there is no redirect or client-side code handling. The user interacts directly with GitHub, and all token exchange happens server-to-server. The device code is short-lived and tied to the requesting client.

What runtime dependencies are required?

Node.js, npm, and tsx for running TypeScript files.

How do I configure the GitHub OAuth app?

Go to GitHub Developer Settings, create an OAuth App, set a callback URL (e.g., http://localhost), and enable "Device Flow". Note the Client ID and Client Secret, then set them as environment variables.

Can I use a different OAuth provider?

The README only documents configuration with GitHub. The implementation is tied to GitHub’s device flow endpoint.

Where are tokens and sessions stored?

The server stores access tokens and session tokens in its own token store (in-memory). No persistent storage is described.

Comments

More Developer Tools MCP servers