Workers OAuth Provider is Cloudflare's official TypeScript library that implements the provider side of the OAuth 2.1 protocol for Cloudflare Workers, designed specifically to add authorization to remote MCP servers and API endpoints. It implements the full suite of specifications required by the MCP authorization standard: OAuth 2.1 with PKCE (draft-ietf-oauth-v2-1-13), Authorization Server Metadata (RFC 8414), Protected Resource Metadata (RFC 9728), Dynamic Client Registration (RFC 7591), and Client ID Metadata Documents. The library wraps around existing Worker code, automatically handling token management, authorization flows, and session validation while passing authenticated user details directly to API handlers.
The library emerged as a critical piece of MCP infrastructure after the Model Context Protocol specification mandated OAuth 2.1 with PKCE for all public remote servers in November 2025. Without it, developers building remote MCP servers on Cloudflare Workers would need to implement the full OAuth 2.1 flow from scratch — a complex and security-sensitive task involving PKCE code challenges, token rotation, and metadata endpoint configuration. The library reduces this to a few lines of configuration, making it practical for individual developers and small teams to deploy authenticated MCP servers. It integrates naturally with Cloudflare's Durable Objects for session storage and KV for token persistence.
Published on npm as @cloudflare/workers-oauth-provider with over 1,700 GitHub stars, the library has become the de facto standard for adding authentication to Cloudflare-hosted MCP servers. The project maintains active development with security-conscious practices — a PKCE bypass vulnerability discovered through responsible disclosure was quickly patched, demonstrating the security scrutiny the library receives. It ships under the MIT license with comprehensive documentation on Cloudflare's developer docs, example implementations, and integration guides for popular identity providers including Stytch, Auth0, and Clerk.