Secure MCP Servers in Minutes with XMCP and WorkOS AuthKit
The xmcp framework now ships with a first-party WorkOS plugin, making it easy to add OAuth 2.0 authentication to your MCP servers with just a few lines of code.
We’re excited to announce that xmcp, the TypeScript framework for building and shipping MCP servers, now includes a first-party WorkOS AuthKit integration.
This enables you to create an MCP server and add enterprise-grade authentication to it in minutes.
Why Authentication Matters for MCP
MCP servers expose powerful capabilities to AI clients: database access, API integrations, file operations, and more.
Without proper authentication, anyone can access your server’s tools and resources. You have no way to identify which user or organization is making requests, role-based access control becomes impossible, and audit logging simply can’t exist.
The @xmcp-dev/workos plugin allows you to add WorkOS Authkit to your MCP server as a drop-in provider of User Management, Auth, Social Login, SSO, SCIM, Audit logs and a ton of other features that help you go upmarket and scale your business faster while landing bigger deals.
What You Get
This integration provides everything you need for production-ready authentication.
Session management gives you access to the authenticated user’s ID, organization, role, and permissions directly inside your MCP tools via getSession().
User details are available through getUser(), letting you fetch full user profiles including email, name, and profile picture.
The full WorkOS SDK is exposed through getClient(), so you can use advanced features like Directory Sync, Audit Logs, and organization management.
OAuth 2.0 with dynamic client registration means MCP clients automatically handle token refresh, and WorkOS Connect’s DCR support allows clients to register themselves without manual configuration.
Getting Started
1. Install the plugin
npm install @xmcp-dev/workos
# or
pnpm add @xmcp-dev/workos2. Configure WorkOS
In your WorkOS Dashboard:
- Copy your WORKOS_API_KEY and WORKOS_CLIENT_ID from the Overview page
- Note your AuthKit domain (for example, https://yourcompany.authkit.app)
- Navigate to Connect → Configuration and enable:
- Client ID Metadata Document (CIMD)
- Dynamic Client Registration (DCR)
3. Add the middleware
Create a middleware.ts file in your xmcp project:
import { workosProvider } from "@xmcp-dev/workos";
export default workosProvider({
apiKey: process.env.WORKOS_API_KEY!,
clientId: process.env.WORKOS_CLIENT_ID!,
baseURL: process.env.BASE_URL!,
authkitDomain: process.env.WORKOS_AUTHKIT_DOMAIN!,
docsURL: "https://yourserver.com/docs", // optional
});4. Use authentication in your tools
import { getSession, getUser } from "@xmcp-dev/workos";
export default async function greetUser() {
const session = getSession();
const user = await getUser();
return `Hello ${user.firstName}! Your user ID is ${session.userId}`;
}That’s it. Your MCP server now requires authentication, and every tool has access to rich user context.
Advanced Use Cases
Once you have the full WorkOS SDK available, more powerful patterns become possible.
Organization-aware tools
const session = getSession();
const workos = getClient();
if (session.organizationId) {
const org = await workos.organizations.getOrganization(
session.organizationId
);
// Scope data access to the user's organization
}Audit logging
await workos.auditLogs.createEvent({
organizationId: session.organizationId,
event: {
action: "document.accessed",
actor: { id: session.userId, type: "user" },
targets: [{ id: documentId, type: "document" }],
},
});Directory Sync integration
const users = await workos.directorySync.listUsers({
directory: "directory_xxx",
});
// Sync enterprise directory data into your MCP toolsCheck out xmcp and the WorkOS plugin and let us know your thoughts.
Learn more about WorkOS AuthKit →
Thank you to the talented folks at basementstudio and the xmcp team.