AttestoMCP.Plug.Authenticate (AttestoMCP v0.5.0)

Copy Markdown View Source

Authenticate a protected MCP endpoint with Attesto.

This plug delegates token, DPoP, and mTLS verification to Attesto.Plug.Authenticate, then assigns MCP-friendly auth context for the host server.

Defaults:

  • :claims_key - :attesto_mcp_claims
  • :scopes_key - :attesto_mcp_scopes
  • :sender_key - :attesto_mcp_sender
  • :principal_key - :attesto_mcp_principal

Options accepted by Attesto.Plug.Authenticate, including :config, :replay_check, :nonce_check, :nonce_issue, :cert_der, :htu, :credential_from_conn, :send_error, :www_authenticate, and :no_store, are passed through.

Additional options:

  • :principal - optional callback that receives verified claims and sender context, returning {:ok, principal} or {:error, reason}.
  • :resource_metadata_url - URL string or (conn -> url) callback that appends an RFC 9728 resource_metadata auth-param to WWW-Authenticate challenges unless a custom :www_authenticate callback is already supplied.
  • :resource_path - MCP endpoint path used to derive :resource_metadata_url from the live request origin.