Authenticate a protected MCP endpoint with Attesto.
This plug delegates token, DPoP, and mTLS verification to
Attesto.Plug.Authenticate, then assigns MCP-friendly auth context for the
host server.
Defaults:
:claims_key-:attesto_mcp_claims:scopes_key-:attesto_mcp_scopes:sender_key-:attesto_mcp_sender:principal_key-:attesto_mcp_principal
Options accepted by Attesto.Plug.Authenticate, including :config,
:replay_check, :nonce_check, :nonce_issue, :cert_der, :htu,
:credential_from_conn, :send_error, :www_authenticate, and
:no_store, are passed through.
Additional options:
:principal- optional callback that receives verified claims and sender context, returning{:ok, principal}or{:error, reason}.:resource_metadata_url- URL string,(conn -> url)callback, or{module, fun}/{module, fun, args}tuple that appends an RFC 9728resource_metadataauth-param toWWW-Authenticatechallenges unless a custom:www_authenticatecallback is already supplied. This is a total override: it takes precedence over:base_url/:origin, and a(conn -> url)form that derives from the connection bypasses origin pinning - pin via:base_url/:origin(which the default derivation honors) rather than a conn-deriving:resource_metadata_urlcallback behind a proxy. A custom:www_authenticatecallback replaces challenge handling entirely, so it must append its ownresource_metadataif wanted.:resource_path- MCP endpoint path used to derive:resource_metadata_url. Its origin is resolved byAttestoMCP.Metadata.resolve_origin/2, so a pinned origin applies.:base_url/:origin- pin the origin of the derivedresource_metadatachallenge URL (aString.t()or(conn -> url)), instead of deriving it from the request connection. Use behind a TLS-terminating proxy so the advertised metadata URL cannot be spoofed viaX-Forwarded-*. When omitted, the live request origin is used. This origin is the resource server's own; it is independent of the:configissuer (the authorization server).