modelcontextprotocol
diff --git a/‎README.md‎
Lines changed: 6 additions & 7 deletions b/‎README.md‎
Lines changed: 6 additions & 7 deletions
diff --git a/‎docs/authorization.md‎
Lines changed: 174 additions & 2 deletions b/‎docs/authorization.md‎
Lines changed: 174 additions & 2 deletions
diff --git a/‎docs/client.md‎
Lines changed: 2 additions & 100 deletions b/‎docs/client.md‎
Lines changed: 2 additions & 100 deletions
diff --git a/‎docs/concepts.md‎
Lines changed: 0 additions & 13 deletions b/‎docs/concepts.md‎
Lines changed: 0 additions & 13 deletions
diff --git a/‎docs/index.md‎
Lines changed: 6 additions & 7 deletions b/‎docs/index.md‎
Lines changed: 6 additions & 7 deletions
@@ -165,13 +165,12 @@ The [Model Context Protocol (MCP)](https://modelcontextprotocol.io) lets you bui
 
 ## Documentation
 
-- [Building Servers](docs/server.md) -- tools, resources, prompts, logging, completions, sampling, elicitation, transports, ASGI mounting
-- [Writing Clients](docs/client.md) -- connecting to servers, using tools/resources/prompts, display utilities
-- [Authorization](docs/authorization.md) -- OAuth 2.1, token verification, client authentication
-- [Low-Level Server](docs/low-level-server.md) -- direct handler registration for advanced use cases
-- [Protocol Features](docs/protocol.md) -- MCP primitives, server capabilities
-- [Concepts](docs/concepts.md) -- architecture overview
-- [Testing](docs/testing.md) -- in-memory transport testing with pytest
+- [Building Servers](docs/server.md) — tools, resources, prompts, logging, completions, sampling, elicitation, transports, ASGI mounting
+- [Writing Clients](docs/client.md) — connecting to servers, using tools/resources/prompts, display utilities
+- [Authorization](docs/authorization.md) — OAuth 2.1 server-side token verification and client-side authentication
+- [Low-Level Server](docs/low-level-server.md) — direct handler registration, pagination, structured output
+- [Protocol Features](docs/protocol.md) — MCP primitives, server capabilities, negotiation
+- [Testing](docs/testing.md) — in-memory transport testing with pytest
 - [API Reference](https://modelcontextprotocol.github.io/python-sdk/api/)
 - [Experimental Features (Tasks)](https://modelcontextprotocol.github.io/python-sdk/experimental/tasks/)
 - [Model Context Protocol documentation](https://modelcontextprotocol.io)
 
@@ -1,5 +1,177 @@
 # Authorization
 
-!!! warning "Under Construction"
+MCP supports OAuth 2.1 for securing server-client communication. Servers act as Resource Servers (RS) that validate tokens, while clients obtain tokens from Authorization Servers (AS).
 
-    This page is currently being written. Check back soon for complete documentation.
+## Server-Side Authentication
+
+Authentication can be used by servers that want to expose tools accessing protected resources.
+
+`mcp.server.auth` implements OAuth 2.1 resource server functionality, where MCP servers act as Resource Servers (RS) that validate tokens issued by separate Authorization Servers (AS). This follows the [MCP authorization specification](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization) and implements RFC 9728 (Protected Resource Metadata) for AS discovery.
+
+MCP servers can use authentication by providing an implementation of the `TokenVerifier` protocol:
+
+<!-- snippet-source examples/snippets/servers/oauth_server.py -->
+```python
+"""
+Run from the repository root:
+    uv run examples/snippets/servers/oauth_server.py
+"""
+
+from pydantic import AnyHttpUrl
+
+from mcp.server.auth.provider import AccessToken, TokenVerifier
+from mcp.server.auth.settings import AuthSettings
+from mcp.server.fastmcp import FastMCP
+
+
+class SimpleTokenVerifier(TokenVerifier):
+    """Simple token verifier for demonstration."""
+
+    async def verify_token(self, token: str) -> AccessToken | None:
+        pass  # This is where you would implement actual token validation
+
+
+# Create FastMCP instance as a Resource Server
+mcp = FastMCP(
+    "Weather Service",
+    json_response=True,
+    # Token verifier for authentication
+    token_verifier=SimpleTokenVerifier(),
+    # Auth settings for RFC 9728 Protected Resource Metadata
+    auth=AuthSettings(
+        issuer_url=AnyHttpUrl("https://auth.example.com"),  # Authorization Server URL
+        resource_server_url=AnyHttpUrl("http://localhost:3001"),  # This server's URL
+        required_scopes=["user"],
+    ),
+)
+
+
+@mcp.tool()
+async def get_weather(city: str = "London") -> dict[str, str]:
+    """Get weather data for a city"""
+    return {
+        "city": city,
+        "temperature": "22",
+        "condition": "Partly cloudy",
+        "humidity": "65%",
+    }
+
+
+if __name__ == "__main__":
+    mcp.run(transport="streamable-http")
+```
+
+_Full example: [examples/snippets/servers/oauth_server.py](https://github.com/modelcontextprotocol/python-sdk/blob/main/examples/snippets/servers/oauth_server.py)_
+<!-- /snippet-source -->
+
+For a complete example with separate Authorization Server and Resource Server implementations, see [`examples/servers/simple-auth/`](examples/servers/simple-auth/).
+
+**Architecture:**
+
+- **Authorization Server (AS)**: Handles OAuth flows, user authentication, and token issuance
+- **Resource Server (RS)**: Your MCP server that validates tokens and serves protected resources
+- **Client**: Discovers AS through RFC 9728, obtains tokens, and uses them with the MCP server
+
+See [TokenVerifier](src/mcp/server/auth/provider.py) for more details on implementing token validation.
+
+## Client-Side Authentication
+
+The SDK includes [authorization support](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) for connecting to protected MCP servers:
+
+<!-- snippet-source examples/snippets/clients/oauth_client.py -->
+```python
+"""
+Before running, specify running MCP RS server URL.
+To spin up RS server locally, see
+    examples/servers/simple-auth/README.md
+
+cd to the `examples/snippets` directory and run:
+    uv run oauth-client
+"""
+
+import asyncio
+from urllib.parse import parse_qs, urlparse
+
+import httpx
+from pydantic import AnyUrl
+
+from mcp import ClientSession
+from mcp.client.auth import OAuthClientProvider, TokenStorage
+from mcp.client.streamable_http import streamable_http_client
+from mcp.shared.auth import OAuthClientInformationFull, OAuthClientMetadata, OAuthToken
+
+
+class InMemoryTokenStorage(TokenStorage):
+    """Demo In-memory token storage implementation."""
+
+    def __init__(self):
+        self.tokens: OAuthToken | None = None
+        self.client_info: OAuthClientInformationFull | None = None
+
+    async def get_tokens(self) -> OAuthToken | None:
+        """Get stored tokens."""
+        return self.tokens
+
+    async def set_tokens(self, tokens: OAuthToken) -> None:
+        """Store tokens."""
+        self.tokens = tokens
+
+    async def get_client_info(self) -> OAuthClientInformationFull | None:
+        """Get stored client information."""
+        return self.client_info
+
+    async def set_client_info(self, client_info: OAuthClientInformationFull) -> None:
+        """Store client information."""
+        self.client_info = client_info
+
+
+async def handle_redirect(auth_url: str) -> None:
+    print(f"Visit: {auth_url}")
+
+
+async def handle_callback() -> tuple[str, str | None]:
+    callback_url = input("Paste callback URL: ")
+    params = parse_qs(urlparse(callback_url).query)
+    return params["code"][0], params.get("state", [None])[0]
+
+
+async def main():
+    """Run the OAuth client example."""
+    oauth_auth = OAuthClientProvider(
+        server_url="http://localhost:8001",
+        client_metadata=OAuthClientMetadata(
+            client_name="Example MCP Client",
+            redirect_uris=[AnyUrl("http://localhost:3000/callback")],
+            grant_types=["authorization_code", "refresh_token"],
+            response_types=["code"],
+            scope="user",
+        ),
+        storage=InMemoryTokenStorage(),
+        redirect_handler=handle_redirect,
+        callback_handler=handle_callback,
+    )
+
+    async with httpx.AsyncClient(auth=oauth_auth, follow_redirects=True) as custom_client:
+        async with streamable_http_client("http://localhost:8001/mcp", http_client=custom_client) as (read, write, _):
+            async with ClientSession(read, write) as session:
+                await session.initialize()
+
+                tools = await session.list_tools()
+                print(f"Available tools: {[tool.name for tool in tools.tools]}")
+
+                resources = await session.list_resources()
+                print(f"Available resources: {[r.uri for r in resources.resources]}")
+
+
+def run():
+    asyncio.run(main())
+
+
+if __name__ == "__main__":
+    run()
+```
+
+_Full example: [examples/snippets/clients/oauth_client.py](https://github.com/modelcontextprotocol/python-sdk/blob/main/examples/snippets/clients/oauth_client.py)_
+<!-- /snippet-source -->
+
+For a complete working example, see [`examples/clients/simple-auth-client/`](examples/clients/simple-auth-client/).
@@ -215,107 +215,9 @@ The `get_display_name()` function implements the proper precedence rules for dis
 
 This ensures your client UI shows the most user-friendly names that servers provide.
 
-## OAuth Authentication for Clients
+## OAuth Authentication
 
-The SDK includes [authorization support](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization) for connecting to protected MCP servers:
-
-<!-- snippet-source examples/snippets/clients/oauth_client.py -->
-```python
-"""
-Before running, specify running MCP RS server URL.
-To spin up RS server locally, see
-    examples/servers/simple-auth/README.md
-
-cd to the `examples/snippets` directory and run:
-    uv run oauth-client
-"""
-
-import asyncio
-from urllib.parse import parse_qs, urlparse
-
-import httpx
-from pydantic import AnyUrl
-
-from mcp import ClientSession
-from mcp.client.auth import OAuthClientProvider, TokenStorage
-from mcp.client.streamable_http import streamable_http_client
-from mcp.shared.auth import OAuthClientInformationFull, OAuthClientMetadata, OAuthToken
-
-
-class InMemoryTokenStorage(TokenStorage):
-    """Demo In-memory token storage implementation."""
-
-    def __init__(self):
-        self.tokens: OAuthToken | None = None
-        self.client_info: OAuthClientInformationFull | None = None
-
-    async def get_tokens(self) -> OAuthToken | None:
-        """Get stored tokens."""
-        return self.tokens
-
-    async def set_tokens(self, tokens: OAuthToken) -> None:
-        """Store tokens."""
-        self.tokens = tokens
-
-    async def get_client_info(self) -> OAuthClientInformationFull | None:
-        """Get stored client information."""
-        return self.client_info
-
-    async def set_client_info(self, client_info: OAuthClientInformationFull) -> None:
-        """Store client information."""
-        self.client_info = client_info
-
-
-async def handle_redirect(auth_url: str) -> None:
-    print(f"Visit: {auth_url}")
-
-
-async def handle_callback() -> tuple[str, str | None]:
-    callback_url = input("Paste callback URL: ")
-    params = parse_qs(urlparse(callback_url).query)
-    return params["code"][0], params.get("state", [None])[0]
-
-
-async def main():
-    """Run the OAuth client example."""
-    oauth_auth = OAuthClientProvider(
-        server_url="http://localhost:8001",
-        client_metadata=OAuthClientMetadata(
-            client_name="Example MCP Client",
-            redirect_uris=[AnyUrl("http://localhost:3000/callback")],
-            grant_types=["authorization_code", "refresh_token"],
-            response_types=["code"],
-            scope="user",
-        ),
-        storage=InMemoryTokenStorage(),
-        redirect_handler=handle_redirect,
-        callback_handler=handle_callback,
-    )
-
-    async with httpx.AsyncClient(auth=oauth_auth, follow_redirects=True) as custom_client:
-        async with streamable_http_client("http://localhost:8001/mcp", http_client=custom_client) as (read, write, _):
-            async with ClientSession(read, write) as session:
-                await session.initialize()
-
-                tools = await session.list_tools()
-                print(f"Available tools: {[tool.name for tool in tools.tools]}")
-
-                resources = await session.list_resources()
-                print(f"Available resources: {[r.uri for r in resources.resources]}")
-
-
-def run():
-    asyncio.run(main())
-
-
-if __name__ == "__main__":
-    run()
-```
-
-_Full example: [examples/snippets/clients/oauth_client.py](https://github.com/modelcontextprotocol/python-sdk/blob/main/examples/snippets/clients/oauth_client.py)_
-<!-- /snippet-source -->
-
-For a complete working example, see [`examples/clients/simple-auth-client/`](examples/clients/simple-auth-client/).
+For OAuth 2.1 client authentication, see [Authorization](authorization.md#client-side-authentication).
 
 ## Roots
 
 
@@ -56,14 +56,13 @@ npx -y @modelcontextprotocol/inspector
 
 ## Getting Started
 
-<!-- TODO(Marcelo): automatically generate the follow references with a header on each of those files. -->
 1. **[Install](installation.md)** the MCP SDK
-2. **[Learn concepts](concepts.md)** - understand the three primitives and architecture
-3. **[Build servers](server.md)** - tools, resources, prompts, transports, ASGI mounting
-4. **[Write clients](client.md)** - connect to servers, use tools/resources/prompts
-5. **[Explore authorization](authorization.md)** - add security to your servers
-6. **[Use low-level APIs](low-level-server.md)** - for advanced customization
-7. **[Protocol features](protocol.md)** - MCP primitives, server capabilities
+2. **[Build servers](server.md)** — tools, resources, prompts, transports, ASGI mounting
+3. **[Write clients](client.md)** — connect to servers, use tools/resources/prompts
+4. **[Add authorization](authorization.md)** — secure your servers with OAuth 2.1
+5. **[Low-level APIs](low-level-server.md)** — direct handler registration for advanced use cases
+6. **[Protocol features](protocol.md)** — capabilities, negotiation, ping, cancellation
+7. **[Testing](testing.md)** — test servers with in-memory transports
 
 ## API Reference