Hi there — thanks for the great project!
I’m exploring using paper-search-mcp as a protected Model Context Protocol (MCP) server (i.e. requiring authorization) under the specification of MCP’s Authorization / Protected Resource model. In particular, I refer to the draft spec:
“A protected MCP server acts as an OAuth 2.1 resource server …” 0
And the specification text here:
https://modelcontextprotocol.io/specification/draft/basic/authorization
What I’d like to know / my questions
-
Is paper-search-mcp intended to or currently able to serve as a protected MCP server (i.e. requiring OAuth tokens) in compliance with the MCP spec?
-
More specifically, does it support (or have plans to support) the following features from the spec:
- Publication of Protected Resource Metadata (RFC 9728) so that MCP clients can discover authorization server endpoints. 1
- Validation of incoming access tokens as an OAuth 2.1 resource server, including checking audience, expiry, scopes, etc. 2
- Support for the
resource parameter (RFC 8707) in token requests, as required by the spec to bind tokens to the MCP server. 3
- Use of the
Authorization: Bearer <token> header (rather than query parameters) for requests. 4
- 401 / 403 error codes for unauthorized/insufficient scope requests, per the spec. 5
- Any additional constraints or deviations from the spec as currently implemented.
-
If the support is not yet implemented, are there roadmaps or architectural constraints that would block implementing this “protected mode”?
Thanks again for your work — I look forward to your feedback. 🙏
Best,
François
Hi there — thanks for the great project!
I’m exploring using paper-search-mcp as a protected Model Context Protocol (MCP) server (i.e. requiring authorization) under the specification of MCP’s Authorization / Protected Resource model. In particular, I refer to the draft spec:
And the specification text here:
https://modelcontextprotocol.io/specification/draft/basic/authorization
What I’d like to know / my questions
Is paper-search-mcp intended to or currently able to serve as a protected MCP server (i.e. requiring OAuth tokens) in compliance with the MCP spec?
More specifically, does it support (or have plans to support) the following features from the spec:
resourceparameter (RFC 8707) in token requests, as required by the spec to bind tokens to the MCP server. 3Authorization: Bearer <token>header (rather than query parameters) for requests. 4If the support is not yet implemented, are there roadmaps or architectural constraints that would block implementing this “protected mode”?
Thanks again for your work — I look forward to your feedback. 🙏
Best,
François