API Auth

bioinformatics

v1.0
GitHub

Über diesen Skill

Geeigneter Einsatz: inline auth (primary pattern). Lokalisierte Zusammenfassung: MCP server for the NCBI E-utilities API. It covers ai-agents, ai-tools, bioinformatics workflows. Claude Code, Cursor, and Windsurf workflows.

Funktionen

Inline auth (primary pattern)
import { tool } from '@cyanheads/mcp-ts-core';
const myTool = tool('my tool', {
input: z.object({ query: z.string().describe('Search query') }),
output: z.object({ result: z.string().describe('Search result') }),

# Kernthemen

bioinformatics biomedical citations e-utilities model-context-protocol
cyanheads cyanheads
[87]
[21]
Aktualisiert: 4/23/2026

Skill Overview

Start with fit, limitations, and setup before diving into the repository.

Geeigneter Einsatz: inline auth (primary pattern). Lokalisierte Zusammenfassung: MCP server for the NCBI E-utilities API. It covers ai-agents, ai-tools, bioinformatics workflows. Claude Code, Cursor, and Windsurf workflows.

Warum diese Fähigkeit verwenden

Empfehlung: api-auth helps agents inline auth (primary pattern). MCP server for the NCBI E-utilities API. Claude Code, Cursor, and Windsurf workflows.

Am besten geeignet für

Geeigneter Einsatz: inline auth (primary pattern).

Handlungsfähige Anwendungsfälle for API Auth

Anwendungsfall: Inline auth (primary pattern)
Anwendungsfall: import { tool } from '@cyanheads/mcp-ts-core';
Anwendungsfall: const myTool = tool('my tool', {

! Sicherheit & Einschränkungen

  • Einschraenkung: // Only reached if caller has 'tool:my tool:read' scope
  • Einschraenkung: // Continues only if scope is satisfied
  • Einschraenkung: MCP AUTH SECRET KEY Yes (unless bypass) Signing secret for HS256 JWT verification. Must be ≥ 32 characters.

About The Source

The section below is adapted from the upstream repository. Use it as supporting material alongside the fit, use-case, and installation summary on this page.

Labs-Demo

Browser Sandbox Environment

⚡️ Ready to unleash?

Experience this Agent in a zero-setup browser environment powered by WebContainers. No installation required.

Boot Container Sandbox

FAQ und Installationsschritte

These questions and steps mirror the structured data on this page for better search understanding.

? Häufige Fragen

Was ist API Auth?

Geeigneter Einsatz: inline auth (primary pattern). Lokalisierte Zusammenfassung: MCP server for the NCBI E-utilities API. It covers ai-agents, ai-tools, bioinformatics workflows. Claude Code, Cursor, and Windsurf workflows.

Wie installiere ich API Auth?

Führen Sie den Befehl aus: npx killer-skills add cyanheads/pubmed-mcp-server. Er funktioniert mit Cursor, Windsurf, VS Code, Claude Code und mehr als 19 weiteren IDEs.

Wofür kann ich API Auth verwenden?

Wichtige Einsatzbereiche sind: Anwendungsfall: Inline auth (primary pattern), Anwendungsfall: import { tool } from '@cyanheads/mcp-ts-core';, Anwendungsfall: const myTool = tool('my tool', {.

Welche IDEs sind mit API Auth kompatibel?

Dieser Skill ist mit Cursor, Windsurf, VS Code, Trae, Claude Code, OpenClaw, Aider, Codex, OpenCode, Goose, Cline, Roo Code, Kiro, Augment Code, Continue, GitHub Copilot, Sourcegraph Cody, and Amazon Q Developer kompatibel. Nutzen Sie die Killer-Skills CLI für eine einheitliche Installation.

Gibt es Einschränkungen bei API Auth?

Einschraenkung: // Only reached if caller has 'tool:my tool:read' scope. Einschraenkung: // Continues only if scope is satisfied. Einschraenkung: MCP AUTH SECRET KEY Yes (unless bypass) Signing secret for HS256 JWT verification. Must be ≥ 32 characters..

So installieren Sie den Skill

  1. 1. Terminal öffnen

    Öffnen Sie Ihr Terminal oder die Kommandozeile im Projektverzeichnis.

  2. 2. Installationsbefehl ausführen

    Führen Sie aus: npx killer-skills add cyanheads/pubmed-mcp-server. Die CLI erkennt Ihre IDE oder Ihren Agenten automatisch und richtet den Skill ein.

  3. 3. Skill verwenden

    Der Skill ist jetzt aktiv. Ihr KI-Agent kann API Auth sofort im aktuellen Projekt verwenden.

! Source Notes

This page is still useful for installation and source reference. Before using it, compare the fit, limitations, and upstream repository notes above.

Upstream Repository Material

The section below is adapted from the upstream repository. Use it as supporting material alongside the fit, use-case, and installation summary on this page.

Upstream Source

API Auth

MCP server for the NCBI E-utilities API. It covers ai-agents, ai-tools, bioinformatics workflows. Claude Code, Cursor, and

SKILL.md
Readonly
Upstream Repository Material
The section below is adapted from the upstream repository. Use it as supporting material alongside the fit, use-case, and installation summary on this page.
Upstream Source

Overview

The framework handles auth at the handler factory level — tools and resources declare required scopes declaratively, and the framework enforces them before calling the handler. No try/catch or manual scope checking required for the common case.

Inline auth (primary pattern)

Declare required scopes directly on the tool or resource definition via the auth property. The handler factory checks ctx.auth.scopes against these before calling handler.

ts
1import { tool } from '@cyanheads/mcp-ts-core';
2
3const myTool = tool('my_tool', {
4  input: z.object({ query: z.string().describe('Search query') }),
5  output: z.object({ result: z.string().describe('Search result') }),
6  auth: ['tool:my_tool:read'],
7  async handler(input, ctx) {
8    // Only reached if caller has 'tool:my_tool:read' scope
9  },
10});

When MCP_AUTH_MODE=none, auth checks are skipped and defaults are allowed.

Dynamic auth

For runtime-computed scopes (e.g., scopes that depend on input values like a team or resource ID), use checkScopes from @cyanheads/mcp-ts-core/auth inside the handler:

ts
1import { checkScopes } from '@cyanheads/mcp-ts-core/auth';
2
3handler: async (input, ctx) => {
4  checkScopes(ctx, [`team:${input.teamId}:write`]);
5  // Continues only if scope is satisfied
6},

Signature: checkScopes(ctx: Context, requiredScopes: string[]): void

Throws:

  • McpError(Forbidden) — auth is active and one or more required scopes are missing
  • McpError(Unauthorized) — auth is enabled but no auth context exists on the request
  • No-ops when MCP_AUTH_MODE=none

Auth modes

Set via MCP_AUTH_MODE environment variable.

ModeValueBehavior
DisablednoneNo auth enforcement. All requests allowed.
JWTjwtLocal secret verification via MCP_AUTH_SECRET_KEY. Requires explicit DEV_MCP_AUTH_BYPASS=true to bypass in development.
OAuthoauthJWKS verification against an external issuer.

JWT config

VariableRequiredPurpose
MCP_AUTH_SECRET_KEYYes (unless bypass)Signing secret for HS256 JWT verification. Must be ≥ 32 characters.
DEV_MCP_AUTH_BYPASSNoSet to true to skip JWT verification in development. Blocked in NODE_ENV=production.
DEV_MCP_CLIENT_IDNoClient ID injected when bypass is active (default: 'dev-client-id').
DEV_MCP_SCOPESNoComma-separated scopes injected when bypass is active (default: ['dev-scope']).

Important: With MCP_AUTH_MODE=jwt, a missing MCP_AUTH_SECRET_KEY is a fatal startup error unless DEV_MCP_AUTH_BYPASS=true is explicitly set. Setting DEV_MCP_AUTH_BYPASS in production (NODE_ENV=production) is rejected at config parse time.

OAuth config

VariableRequiredPurpose
OAUTH_ISSUER_URLYesToken issuer URL (used for JWKS discovery)
OAUTH_AUDIENCEYesExpected aud claim value
OAUTH_JWKS_URINoOverride JWKS endpoint (defaults to {issuer}/.well-known/jwks.json)
MCP_SERVER_RESOURCE_IDENTIFIERNoRFC 8707 resource indicator URI. When set, the OAuth strategy validates that the token's resource or aud claim matches this value — throws Forbidden on mismatch.

JWT claims mapping

ClaimJWT FieldPurpose
clientIdcid / client_idIdentifies the calling client
scopesscp / scopeSpace-separated list of granted scopes
subsubSubject (user or service identity)
tenantIdtidTenant identifier — drives ctx.state scoping

Endpoints

EndpointProtected
GET /healthzNo
GET /mcpNo
POST /mcpYes (when auth enabled)
OPTIONS /mcpYes (when auth enabled)

CORS: Set MCP_ALLOWED_ORIGINS to a comma-separated list of allowed origins, or * for open access.

Stdio mode: No HTTP auth layer. Authorization is handled entirely by the host process.

Multi-tenancy

ctx.state is automatically scoped to the current tenant — no manual key prefixing needed.

tenantId sources

TransportSourceValue
HTTP with authJWT tid claimAuto-propagated from token
StdioHardcoded default'default'

Tenant ID validation rules

  • Max 128 characters
  • Characters: alphanumeric, hyphens, underscores, dots
  • Must start and end with an alphanumeric character
  • No path traversal sequences (../)
  • No consecutive dots (..)

Using ctx.state

ts
1handler: async (input, ctx) => {
2  // Automatically scoped to ctx.tenantId — no manual prefixing
3  await ctx.state.set('item:123', { name: 'Widget', count: 42 });
4  const item = await ctx.state.get<Item>('item:123');
5  await ctx.state.delete('item:123');
6
7  const page = await ctx.state.list('item:', { cursor, limit: 20 });
8  // page: { items: Array<{ key, value }>, cursor?: string }
9},

ctx.state throws McpError(InvalidRequest) if tenantId is missing. In stdio mode, tenantId defaults to 'default' so ctx.state works without auth.

Auth context shape

Available on ctx.auth inside handlers (when auth is enabled):

ts
1interface AuthContext {
2  clientId: string;        // Required — 'cid' or 'client_id' JWT claim
3  scopes: string[];        // Required — derived from 'scp' or 'scope' claim
4  sub: string;             // Required — 'sub' claim; falls back to clientId when absent
5  token: string;           // Required — raw JWT or OAuth bearer token string
6  tenantId?: string;       // Optional — 'tid' claim; present only for multi-tenant tokens
7}

Access directly for conditional logic:

ts
1handler: async (input, ctx) => {
2  const isAdmin = ctx.auth?.scopes.includes('admin:write') ?? false;
3  // ...
4},

Verwandte Fähigkeiten

Looking for an alternative to API Auth or another community skill for your workflow? Explore these related open-source skills.

Alle anzeigen

openclaw-release-maintainer

Logo of openclaw
openclaw

Lokalisierte Zusammenfassung: 🦞 # OpenClaw Release Maintainer Use this skill for release and publish-time workflow. It covers ai, assistant, crustacean workflows. Claude Code, Cursor, and Windsurf workflows.

333.8k
0
Künstliche Intelligenz

widget-generator

Logo of f
f

Lokalisierte Zusammenfassung: Generate customizable widget plugins for the prompts.chat feed system # Widget Generator Skill This skill guides creation of widget plugins for prompts.chat. It covers ai, artificial-intelligence, awesome-list workflows. Claude Code

149.6k
0
Künstliche Intelligenz

flags

Logo of vercel
vercel

Lokalisierte Zusammenfassung: The React Framework # Feature Flags Use this skill when adding or changing framework feature flags in Next.js internals. It covers blog, browser, compiler workflows. Claude Code, Cursor, and Windsurf workflows.

138.4k
0
Browser

pr-review

Logo of pytorch
pytorch

Lokalisierte Zusammenfassung: Usage Modes No Argument If the user invokes /pr-review with no arguments, do not perform a review. It covers autograd, deep-learning, gpu workflows. Claude Code, Cursor, and Windsurf workflows.

98.6k
0
Entwickler