Implementing OAuth for Streamable HTTP Server & Client without PKCE
@asibyl
About Implementing OAuth for Streamable HTTP Server & Client without PKCE
MCP Streamable HTTP Server with Device Flow OAuth
Basic information
Config
Add this server to your MCP-compatible client using the configuration below.
{
"mcpServers": {
"streamable-http-server": {
"command": "npx",
"args": [
"tsx",
"server/index_streamable.ts"
],
"env": {
"GITHUB_CLIENT_ID": "",
"GITHUB_CLIENT_SECRET": ""
}
}
}
}Tools
No tools detected
We auto-extract tools from the README. The maintainer can list them under a ## Tools heading to populate this section.
Overview
What is Implementing OAuth for Streamable HTTP Server & Client without PKCE?
A reference implementation that adds OAuth support to the Streamable HTTP Server and Client using the device authorization grant flow (device flow) instead of browser-based redirects. It integrates with GitHub as the OAuth provider and is intended for developers who need headless OAuth authentication for MCP (Model Context Protocol) servers.
How to use Implementing OAuth for Streamable HTTP Server & Client without PKCE?
Clone the repository, install dependencies with npm install, set the GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET environment variables from a GitHub OAuth App that has "Enable Device Flow" selected, then start the server with npx tsx server/index_streamable.ts and the client with npx tsx client/client.ts.
Key features of Implementing OAuth for Streamable HTTP Server & Client without PKCE
- Streamable HTTP Server with OAuth device flow support
- Streamable HTTP Client with headless OAuth support
- Replaces browser-based OAuth with device code flow
- No PKCE required due to device flow security
- Uses GitHub as the OAuth provider
Use cases of Implementing OAuth for Streamable HTTP Server & Client without PKCE
- Automating MCP server OAuth without an interactive browser
- Running OAuth flows in headless environments or CI/CD
- Testing Streamable HTTP OAuth without the MCP Inspector
FAQ from Implementing OAuth for Streamable HTTP Server & Client without PKCE
Why is PKCE not used?
Device flow does not require PKCE because there is no redirect or client-side code handling. The user interacts directly with GitHub, and all token exchange happens server-to-server. The device code is short-lived and tied to the requesting client.
What runtime dependencies are required?
Node.js, npm, and tsx for running TypeScript files.
How do I configure the GitHub OAuth app?
Go to GitHub Developer Settings, create an OAuth App, set a callback URL (e.g., http://localhost), and enable "Device Flow". Note the Client ID and Client Secret, then set them as environment variables.
Can I use a different OAuth provider?
The README only documents configuration with GitHub. The implementation is tied to GitHub’s device flow endpoint.
Where are tokens and sessions stored?
The server stores access tokens and session tokens in its own token store (in-memory). No persistent storage is described.
More Developer Tools MCP servers
FastAPI-MCP
tadata-orgExpose your FastAPI endpoints as Model Context Protocol (MCP) tools, with Auth!
MCP Framework
QuantGeekDevThe Typescript MCP Framework
Deepwiki MCP Server
regenrek📖 MCP server for fetch deepwiki.com and get latest knowledge in Cursor and other Code Editors
MCP-Bridge
SecretiveShellA middleware to provide an openAI compatible endpoint that can call MCP tools
test
prysmaticlabsGo implementation of Ethereum proof of stake
Comments