Authentication plug for MCP servers.
Provides flexible authentication strategies for protecting MCP endpoints. Supports bearer tokens, API keys, custom verification functions, and more.
Options
:enabled- Enable/disable authentication (default:true):strategy- Authentication strategy::bearer_token,:api_key,:custom, or:function:verify- Verification function/MFA. Signature:(credential :: String.t()) -> {:ok, user} | {:error, reason}:token- Static token for:bearer_tokenstrategy (simple auth):api_key- Static API key for:api_keystrategy:header- Header name for:api_keystrategy (default:"x-api-key"):assign_as- Key to assign authenticated user in conn.assigns (default::current_user)
Examples
Disabled (Development)
plug ConduitMcp.Plugs.Auth, enabled: falseStatic Bearer Token
plug ConduitMcp.Plugs.Auth,
strategy: :bearer_token,
token: "my-secret-token"Static API Key
plug ConduitMcp.Plugs.Auth,
strategy: :api_key,
api_key: "secret-key-123",
header: "x-api-key"Custom Function (Anonymous)
plug ConduitMcp.Plugs.Auth,
strategy: :function,
verify: fn token ->
if MyApp.Auth.valid_token?(token) do
{:ok, MyApp.Auth.get_user_by_token(token)}
else
{:error, "Invalid token"}
end
endCustom Function (MFA)
plug ConduitMcp.Plugs.Auth,
strategy: :function,
verify: {MyApp.Auth, :verify_token, []} # Will call MyApp.Auth.verify_token(token)Database Token Lookup
plug ConduitMcp.Plugs.Auth,
strategy: :function,
verify: fn token ->
case MyApp.Repo.get_by(ApiToken, token: token) do
%ApiToken{user_id: user_id} ->
user = MyApp.Repo.get!(User, user_id)
{:ok, user}
nil ->
{:error, "Invalid token"}
end
endJWT Verification
plug ConduitMcp.Plugs.Auth,
strategy: :function,
verify: fn token ->
case MyApp.JWT.verify_and_validate(token) do
{:ok, claims} ->
user = MyApp.Accounts.get_user!(claims["sub"])
{:ok, user}
{:error, _reason} ->
{:error, "Invalid JWT"}
end
endOAuth2 Integration
plug ConduitMcp.Plugs.Auth,
strategy: :function,
verify: {MyApp.OAuth, :verify_token, []},
assign_as: :oauth_user