Possibility to scope auth to certain routes only

[EDjur]

Hi 👋

I have a Fastify server for my web platform. Inside the same server, I want to add an MCP server, but under the /mcp path. I also need to handle OAuth myself.

However, if I enable OAuth with this plugin, it seems to automatically protect all routes, and not only /mcp ?

I.e. with the plugin auth enabled, I cannot access my normal routes anymore since they start returning this instead:

{"error":"authorization_required","error_description":"Authorization header required"}

I tried of course to register the plugin under a prefix. But MCP clients expect auth routes to sit at root level.

Additionally, I believe this kind of functionality will be needed if the server should both act as the MCP server, and the OAuth server.

Cause right now, this path /oauth2/authorize will be under protection, meaning the browser cannot open it.

Thanks for the help!

[prescottprue]

Yeah this would be awesome - this could be done via a preHandler that is called before each mcp tool so that those using @fastify/auth could apply different auth functions on each tool before it is invoked

[mattalline]

I tossed together a quick proof of concept of something I think may help here. I'm not sure what the owners here would prefer but judging from the discussion I wonder if something like the draft PR would help those here.

[EDjur]

FWIW, I dont think this repo is very actively maintained - it sort of more looks like a vibe coded demo to me 🙃 I ended up just using the official Typescript MCP SDK instead.