Noizu.MCP.Auth.CompoundJWTVerifier (Noizu MCP v0.1.3)

Copy Markdown View Source

Built-in compound JWT verifier for dual-auth MCP tokens.

Verifies a JWT that binds both an API key (app-level credential) and a user identity (from an IdP like Authentik) into a single bearer token. This lets MCP tool handlers enforce per-user permissions via ctx.assigns.auth_claims.

Token format

The JWT payload must contain:

  • "sub" — user identifier (UUID or IdP subject)
  • "api_key_id" — the MCP API key UUID
  • "iss" — issuer (validated if configured)
  • "exp" — expiration timestamp

Optional claims ("email", "name", "scopes") are passed through to auth_claims if present.

Configuration

forward "/mcp", Noizu.MCP.Transport.StreamableHTTP.Plug,
  server: MyApp.MCP,
  auth: [
    verifier: {Noizu.MCP.Auth.CompoundJWTVerifier, [
      secret: "hmac-shared-secret",     # or {secret_fn_mod, secret_fn_name}
      issuer: "my-app",                  # optional — reject if iss doesn't match
      validate_api_key: &MyApp.Auth.api_key_active?/1  # fn(api_key_id) → boolean
    ]}
  ]

Options

  • :secret — HMAC signing secret (binary) or {module, function} that returns the secret at runtime (for env-var lookup). Required.
  • :issuer — expected "iss" claim. Tokens with a different issuer are rejected. Optional.
  • :algorithms — allowed JWS algorithms (default ["HS256"]).
  • :validate_api_keyfun(api_key_id) → boolean called after signature verification to confirm the API key is still active. When omitted, the api_key_id claim is trusted without a DB lookup.