MCP OAuth Cloudflare

SKILL.md

OAuth authentication for MCP servers on Cloudflare Workers with Google Sign-In and Dynamic Client Registration.

Implements dual OAuth role pattern: MCP server acts as both OAuth client (to Google) and OAuth server (to MCP clients like Claude.ai), issuing its own tokens after upstream authentication

Includes production-ready security: CSRF protection via HttpOnly cookies, one-time-use state tokens with 10-minute TTL, session binding via SHA-256 hashing, and HMAC-signed approval cookies to prevent tampering

Supports refresh token lifecycle for long-lived sessions (Gmail, Drive, Sheets APIs) with configurable Google scopes via environment variables; handles non-standard two-valid-token rotation strategy

Prevents 9 documented errors including RFC 8707 audience validation bugs, Claude.ai connection failures, re-auth loops, and production redirect URI mismatches; coexists with Bearer token auth for CLI tools and programmatic access

MCP OAuth Cloudflare

Production-ready OAuth authentication for MCP servers on Cloudflare Workers.

When to Use This Skill

Building an MCP server that needs user authentication

Deploying MCP to Claude.ai (requires Dynamic Client Registration)

Replacing static auth tokens with OAuth for better security

Adding Google Sign-In to your MCP server

Need user context (email, name, picture) in MCP tool handlers

When NOT to Use

Internal/private MCP servers where tokens are acceptable

MCP servers without user-specific data

Local-only MCP development (use tokens for simplicity)

Architecture Overview