mcpauth vs. WorkOS

WorkOS added MCP-specific support to AuthKit, and the pitch is genuinely close to mcpauth's own: indie-friendly “get OAuth working in about 10 minutes” messaging, real code samples, and a clear acknowledgment that most MCP servers ship with no auth at all. If you've been comparing the two, here is an honest breakdown of where they actually differ.

The core difference: dedicated tool vs. bundled feature

mcpauth is built for one job: OAuth 2.1 and Dynamic Client Registration (RFC 7591) for MCP servers. There is no SSO product, no SCIM directory sync, no Admin Portal attached to it — a registration secret, an authorize screen, and a token endpoint are the whole surface area.

AuthKit's MCP support, by contrast, lives inside WorkOS's broader enterprise identity platform. That platform is mature and well-regarded for what it does — SSO, SCIM provisioning, an Admin Portal for customer IT teams — but MCP auth isn't sold as its own thing. There is no dedicated self-serve pricing SKU just for “add OAuth to my MCP server”; you're adopting a slice of a much larger IAM product to get it.

Dynamic Client Registration

The part of the MCP spec that trips up most OAuth providers is RFC 7591 Dynamic Client Registration — letting an MCP client (Claude, an IDE, an agent) register itself as an OAuth client at runtime with no human pre-provisioning a client ID in a dashboard. mcpauth implements this out of the box:

curl -X POST https://your-mcpauth-instance/api/oauth/register \
  -H "Authorization: Bearer $MCPAUTH_REGISTRATION_SECRET" \
  -H "Content-Type: application/json" \
  -d '{
    "redirect_uris": ["https://client.example.com/callback"],
    "client_name": "My MCP Client"
  }'

together with RFC 8414 discovery at /.well-known/oauth-authorization-server so a client only needs your issuer URL to find every endpoint it needs. Both providers support this — it's the baseline for working correctly with MCP clients, and it's worth confirming for any provider you evaluate, since most general-purpose OAuth platforms still don't implement it.

Integration surface

On the server side, mcpauth ships an npm package that wraps the official @modelcontextprotocol/sdk's own requireBearerAuth middleware, so token verification follows the spec the official SDK already defines rather than a parallel implementation:

import { mcpAuth } from "getmcpauth";

app.use("/mcp", mcpAuth({
  registrationSecret: process.env.MCPAUTH_SECRET,
}));

For MCP servers embedded inside a product that already has its own logged-in users, mcpauth also exposes a direct server-to-server exchange — your backend, which already knows who the user is, calls /api/oauth/token/exchange (or the SDK's mintToken() helper) to mint a token directly, skipping the GitHub-login and consent-screen flow entirely. WorkOS's MCP integration is also genuinely straightforward to wire up on the server side — this isn't a case of one being hard and one being easy, it's a case of how much product surrounds the auth flow once you're integrated.

Pricing

mcpauth publishes MCP-specific pricing with no sales call required to see a number:

  • Free — $0/mo, 1 project, up to 1,000 monthly active tokens, community support.
  • Pro — $29/mo, unlimited projects, 10,000 monthly active tokens included, $5 per additional 1,000 monthly active tokens, priority support.

WorkOS doesn't break out a standalone price for MCP auth specifically — AuthKit's pricing covers the wider IAM platform (SSO connections, SCIM directories, the Admin Portal), and figuring out what MCP support costs you in isolation depends on which parts of that platform you also end up using.

When to choose which

If you already need — or expect to need soon — WorkOS's broader SSO and SCIM product for enterprise customers, their MCP support is a reasonable thing to adopt as part of that bundle; you're not paying for a second vendor to cover a small extra surface.

If MCP auth is the only problem you have — you just need real OAuth 2.1 and Dynamic Client Registration in front of an MCP server, without adopting an enterprise identity platform around it — mcpauth is the narrower, cheaper tool built specifically for that job.