An MCP server (built with the official MCP SDK) for testing LiteLLM's OBO token exchange flow. It captures and returns the Authorization header it receives, letting you verify that the exchanged token (not the user's original JWT) arrives at the MCP server.
pip install -r requirements.txt
python server.pyServer starts on http://localhost:9998 using streamable HTTP transport.
| Tool | Description |
|---|---|
echo_auth |
Returns the most recent Authorization header received |
get_auth_log |
Returns the full log of all auth headers |
ping |
Simple health check, returns "pong" |
- Start this server:
python server.py(port 9998) - Start the mock token exchange server: port 9999
- Configure LiteLLM proxy:
mcp_servers:
test_obo:
url: http://localhost:9998/mcp
transport: http
auth_type: oauth2_token_exchange
token_exchange_endpoint: http://localhost:9999/oauth2/token
audience: api://test-mcp-server
scopes:
- mcp.tools.read
- mcp.tools.execute
client_id: litellm-client
client_secret: litellm-secret- Send a request with a user JWT:
curl -X POST http://localhost:4000/mcp \
-H "Authorization: Bearer <USER_JWT>" \
-H "Content-Type: application/json" \
-d '{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {"name": "test_obo_echo_auth", "arguments": {"message": "test"}},
"id": 1
}'- Check the server logs - you should see the exchanged token, not the original user JWT.