Expand description
JWT authentication for MCP HTTP transport (SEC-H1).
Provides bearer token validation for the MCP HTTP server. The stdio transport does NOT require authentication.
ยงConfiguration
Set these environment variables for JWT validation:
SUBCOG_MCP_JWT_SECRET: Required. The secret key for HS256 validation.SUBCOG_MCP_JWT_ISSUER: Optional. Expected issuer claim.SUBCOG_MCP_JWT_AUDIENCE: Optional. Expected audience claim.
ยงExample
export SUBCOG_MCP_JWT_SECRET="your-secret-key-min-32-chars-long"
export SUBCOG_MCP_JWT_ISSUER="https://auth.example.com"
subcog serve --transport http --port 3000Structsยง
- Claims
- JWT claims structure.
- JwtAuthenticator
- JWT authenticator for validating bearer tokens.
- JwtConfig
- JWT authentication configuration.
- Tool
Authorization - Tool authorization configuration (CRIT-003).
Constantsยง
- MIN_
CHAR_ ๐CLASSES - Minimum character classes required (HIGH-SEC-004). At least 3 of: lowercase, uppercase, digits, special chars.
- MIN_
SECRET_ ๐LENGTH - Minimum secret key length for security.
- MIN_
UNIQUE_ ๐CHARS - Minimum number of unique characters for entropy validation. A 32+ character secret with fewer than 8 unique chars is likely weak.
Functionsยง
- validate_
secret_ ๐entropy - Validates that a secret has sufficient entropy (not just length).