npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mcp-server-lib

v0.2.0

Published

A factory for creating **Google OAuth-authenticated MCP (Model Context Protocol) servers** in Node.js. Handles the full OAuth 2.0 PKCE flow, bearer token validation, and per-user scoped tool execution — so you only need to define your tools.

Downloads

194

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

rutulpatelrutulpatel

Keywords

Readme

mcp-server-lib

A factory for creating Google OAuth-authenticated MCP (Model Context Protocol) servers in Node.js. Handles the full OAuth 2.0 PKCE flow, bearer token validation, and per-user scoped tool execution — so you only need to define your tools.

Installation

npm install mcp-server-lib

Quick Start

import { createMcpServer } from "mcp-server-lib";
import { z } from "zod";

createMcpServer({
  name: "my-server",
  port: 3001,
  googleClientId: process.env.GOOGLE_CLIENT_ID!,
  googleClientSecret: process.env.GOOGLE_CLIENT_SECRET!,
  mcpApiKey: process.env.MCP_API_KEY!,
  tools: [
    {
      name: "list_items",
      description: "Get all items for the authenticated user",
      handler: async (_args, { userEmail }) => {
        // userEmail is the Google-authenticated user's email
        return { items: [], user: userEmail };
      },
    },
    {
      name: "create_item",
      description: "Create a new item",
      inputSchema: {
        title: z.string(),
        priority: z.enum(["low", "medium", "high"]).optional(),
      },
      handler: async ({ title, priority }, { userEmail }) => {
        // your logic here
        return { created: true, title, priority, by: userEmail };
      },
    },
  ],
});

Google OAuth Setup

  1. Go to the Google Cloud Console and create an OAuth 2.0 client ID (type: Web application).
  2. Add your callback URL to Authorized redirect URIs:
    • Local: http://localhost:3001/callback
    • Production: https://your-domain.com/callback
  3. Copy the Client ID and Client Secret into your environment variables.

Configuration

| Option | Type | Required | Default | Description | | -------------------- | ------------ | -------- | --------------------------- | ------------------------------------------------------------------------ | | name | string | Yes | — | Display name reported to MCP clients during initialization. | | googleClientId | string | Yes | — | Google OAuth 2.0 client ID. | | googleClientSecret | string | Yes | — | Google OAuth 2.0 client secret. | | mcpApiKey | string | Yes | — | Shared secret; MCP clients must send this as a Bearer token. | | tools | McpTool[] | Yes | — | Array of tools to expose on the MCP server. | | port | number | No | 3001 | TCP port to listen on. | | baseUrl | string | No | http://localhost:<port> | Publicly reachable base URL. Set this in production. | | version | string | No | "1.0.0" | Server version string reported to clients. |

Defining Tools

Each tool in the tools array follows the McpTool interface:

interface McpTool {
  name: string;                                       // unique tool identifier
  description: string;                                // shown to MCP clients / AI agents
  inputSchema?: Record<string, z.ZodTypeAny>;         // optional argument validation
  handler: (args: any, context: { userEmail: string }) => Promise<any>;
}
  • inputSchema uses Zod validators. When provided, the MCP SDK describes the expected arguments to clients automatically.
  • handler receives validated args and a context object with the authenticated userEmail. Return any JSON-serializable value.

HTTP Routes

| Method | Path | Description | | ------ | ----------- | ---------------------------------------------------- | | GET | /callback | Google OAuth redirect handler (do not call directly) | | * | /mcp | MCP protocol endpoint — requires valid bearer token |

The MCP SDK auth router also mounts standard OAuth discovery/token endpoints automatically.

Environment Variables

GOOGLE_CLIENT_ID=your-google-client-id
GOOGLE_CLIENT_SECRET=your-google-client-secret
MCP_API_KEY=your-secret-api-key

Logging

All library logs are prefixed with [mcp-server-lib] so you can easily identify them. Key events logged:

  • Server started
  • OAuth client registered
  • Authorization flow started / user authenticated
  • Access token issued / revoked / expired
  • MCP request received
  • Tool called

Limitations

  • In-memory state: All OAuth clients, sessions, and access tokens are stored in process memory. They are lost on server restart. For production deployments with multiple instances, you would need to replace the in-memory maps with a shared store (e.g. Redis).
  • No refresh tokens: Access tokens are valid for 8 hours. After expiry, users must re-authenticate via Google.
  • Single identity provider: Only Google OAuth is supported as the identity provider.

License

ISC