Implement OAuth 2.0 and API key authentication in your GolfMCP servers.
pre_build.py
:
get_api_key()
OAuthAuthorizationServerProvider
interface.
ProviderConfig
(golf.auth.provider.ProviderConfig
):
A Pydantic model used to define the settings for an external OAuth 2.0 identity provider (IdP). Key fields include:
provider
: A string identifying the provider (e.g., "github"
, "google"
, or "custom"
).client_id_env_var
: The name of the environment variable holding the OAuth Client ID.client_secret_env_var
: The name of the environment variable holding the OAuth Client Secret.jwt_secret_env_var
: The name of the environment variable holding the secret key for signing JWTs issued by your GolfMCP server.authorize_url
: The IdP’s authorization endpoint URL.token_url
: The IdP’s token endpoint URL.userinfo_url
(Optional): The IdP’s userinfo endpoint URL.scopes
: A list of scopes to request from the IdP (e.g., ["read:user", "openid"]
).issuer_url
: The publicly accessible base URL of your GolfMCP server. This is crucial as it’s used as the iss
(issuer) claim in JWTs your server generates and for constructing callback URLs.callback_path
: The path on your GolfMCP server where the IdP should redirect after authentication (e.g., "/auth/callback"
).token_expiration
: The lifetime (in seconds) for JWTs issued by your GolfMCP server.configure_auth
(golf.auth.configure_auth
):
A function, typically called in pre_build.py
, to register the authentication provider configuration with GolfMCP.
provider_config
and required_scopes
globally, which the build process then uses.
GolfOAuthProvider
(golf.auth.oauth.GolfOAuthProvider
):
The heart of Golf’s auth abstraction. This class implements the MCP SDK’s OAuthAuthorizationServerProvider
interface. It’s initialized with the ProviderConfig
you define.
authorize_url
.callback_path
) for tokens at the IdP’s token_url
.userinfo_url
is provided).GolfOAuthProvider
mints its own JWT. This JWT represents the user’s session with your GolfMCP server.
jwt_secret
(loaded from jwt_secret_env_var
).iss
(your server’s issuer_url
), sub
(subject, often client ID), exp
(expiration), iat
(issued at), and scp
(scopes).TokenStorage
in golf.auth.oauth
):
create_callback_handler
in golf.auth.oauth
):
This function takes a GolfOAuthProvider
instance and returns an async
HTTP request handler. The build process uses this to generate the route for your callback_path
(e.g., /auth/callback
) in the dist/server.py
. This handler processes the redirect from the IdP.
ProviderConfig
(e.g., client_id_env_var="MY_APP_CLIENT_ID"
).golf build
process, the CodeGenerator
(specifically _generate_server
and the auth-related code in builder_auth.py
) writes Python code into dist/server.py
.dist/server.py
includes lines like runtime_client_id = os.environ.get("MY_APP_CLIENT_ID")
.golf run
(or execute python dist/server.py
), the server, at startup, reads the actual secret values from the environment variables of the system it’s running on.GolfOAuthProvider
instance.dist/
directory can be safely distributed or committed (if needed, though typically dist/
is in .gitignore
) without exposing secrets. Secrets must be present in the environment where the server runs.
get_provider_token()
function (from golf.auth.helpers
) looks up the mapping between the current GolfMCP session’s access token and the stored external provider’s access token.