mcpauth vs. @mcpauth/auth
If you've searched for MCP auth tools, you've probably run into @mcpauth/auth — an open-source, self-hostable OAuth 2.0 server for MCP servers, published by a different team at github.com/mcpauth. The name overlap is a real source of confusion, so here's an honest, specific comparison — we are not affiliated with that project.
The core difference: hosted vs. self-hosted
This is a genuinely different tradeoff than the other comparisons on this site. @mcpauth/auth is code you deploy and run yourself — a Next.js or Express app you own, backed by your own Postgres/MySQL via Prisma or Drizzle. You get full control and no dependency on a third-party service staying up, at the cost of operating an OAuth server yourself: patching it, monitoring it, and keeping the database it depends on alive.
mcpauth is hosted by default — you create a project in the dashboard, get a registration secret, and the OAuth server, the database, and the uptime are ours to run, not yours. Self-hosting mcpauth is possible (it's a Next.js/Postgres app), but the product is built hosted-first, the opposite emphasis from @mcpauth/auth.
Dynamic Client Registration
mcpauth implements RFC 7591 Dynamic Client Registration directly — an MCP client registers itself automatically against /api/oauth/register with no human pre-provisioning a client ID, discoverable via RFC 8414 at /.well-known/oauth-authorization-server.
Worth knowing before you evaluate @mcpauth/auth: its own Next.js example app's README states it “includes custom server-side authentication logic for dynamic client registration” and notes “this project utilizes a custom OAuth setup due to various issues with the standard MCP OAuth server implementation,” adding that “the custom authentication code has not been extensively vetted” and should be used in production “at your own risk.” That's their own documentation, not our characterization of it — worth reading directly before you decide how much DCR support to expect out of the box.
Integration surface
@mcpauth/auth has real breadth here: framework adapters for both Next.js and Express, and database stores for both Prisma and Drizzle. It also ships an authenticateUser() plug-in function — you write a function that reads a session cookie, bearer token, or any existing auth signal and returns the user, and it wires that into the OAuth flow.
mcpauth is narrower today: the SDK wraps the official @modelcontextprotocol/sdk's own requireBearerAuth middleware for Express specifically — no Next.js API route adapter or Drizzle store yet. The equivalent of authenticateUser() is a server-to-server call instead of an in-process function:
import { mintToken } from "getmcpauth";
const accessToken = await mintToken({
registrationSecret: process.env.MCPAUTH_SECRET,
clientId,
subject: currentUser.id, // however you already authenticate them
scopes: ["read:files"],
});Same underlying idea — bridge your existing auth into an OAuth token without making your users log in twice — implemented as a hosted API call rather than a callback your own server runs.
Maturity and track record
@mcpauth/auth is the more established project by a real margin — open-sourced mid-2025, over 100 GitHub stars, an active issue tracker, and a published documentation site. It has been through more real-world use than mcpauth has.
mcpauth is newer and has less of a public track record — we'd rather say that plainly than let a comparison page imply otherwise. What we're confident in is what's actually built and tested: every endpoint on this site has been verified against a live deployment, not just written and assumed to work.
Pricing
@mcpauth/authis MIT-style open-source software (ISC license) — free, because you're running it on your own infrastructure, which has its own real cost (hosting, a database, your time operating it).
- mcpauth Free — $0/mo, 1 project, up to 1,000 monthly active tokens, community support.
- mcpauth Pro — $29/mo, unlimited projects, 10,000 monthly active tokens included, $5 per additional 1,000 monthly active tokens, priority support.
When to choose which
Choose @mcpauth/authif you want to own the entire OAuth server and database yourself, you're already on Next.js/Express with Prisma/Drizzle, and you're comfortable operating and vetting the auth code in production yourself.
Choose mcpauth if you'd rather not run an OAuth server and its database at all — sign up, get a registration secret, and the hosted infrastructure, spec compliance, and uptime are handled for you.