modelcontextprotocol
diff --git a/‎packages/server-express/README.md‎
Lines changed: 3 additions & 1 deletion b/‎packages/server-express/README.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎packages/server-express/package.json‎
Lines changed: 2 additions & 1 deletion b/‎packages/server-express/package.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎packages/server-express/src/auth/router.ts‎
Lines changed: 45 additions & 5 deletions b/‎packages/server-express/src/auth/router.ts‎
Lines changed: 45 additions & 5 deletions
diff --git a/‎packages/server-express/test/server/auth/router.test.ts‎
Lines changed: 30 additions & 0 deletions b/‎packages/server-express/test/server/auth/router.test.ts‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎packages/server/src/server/auth/handlers/authorize.ts‎
Lines changed: 3 additions & 34 deletions b/‎packages/server/src/server/auth/handlers/authorize.ts‎
Lines changed: 3 additions & 34 deletions
diff --git a/‎packages/server/src/server/auth/handlers/register.ts‎
Lines changed: 2 additions & 50 deletions b/‎packages/server/src/server/auth/handlers/register.ts‎
Lines changed: 2 additions & 50 deletions
diff --git a/‎packages/server/src/server/auth/handlers/revoke.ts‎
Lines changed: 3 additions & 48 deletions b/‎packages/server/src/server/auth/handlers/revoke.ts‎
Lines changed: 3 additions & 48 deletions
@@ -60,7 +60,9 @@ app.use(express.json());
 app.use(
   mcpAuthRouter({
     provider,
-    issuerUrl: new URL('https://auth.example.com')
+    issuerUrl: new URL('https://auth.example.com'),
+    // Optional rate limiting (implemented via express-rate-limit)
+    rateLimit: { windowMs: 60_000, max: 60 }
   })
 );
 ```
 
@@ -43,7 +43,8 @@
     },
     "dependencies": {
         "@modelcontextprotocol/server": "workspace:^",
-        "express": "catalog:runtimeServerOnly"
+        "express": "catalog:runtimeServerOnly",
+        "express-rate-limit": "catalog:runtimeServerOnly"
     },
     "devDependencies": {
         "@modelcontextprotocol/tsconfig": "workspace:^",
 
@@ -3,9 +3,14 @@ import { Readable } from 'node:stream';
 import { URL } from 'node:url';
 
 import type { AuthMetadataOptions, AuthRouterOptions, WebHandlerContext } from '@modelcontextprotocol/server';
-import { mcpAuthMetadataRouter as createWebAuthMetadataRouter, mcpAuthRouter as createWebAuthRouter } from '@modelcontextprotocol/server';
+import {
+    mcpAuthMetadataRouter as createWebAuthMetadataRouter,
+    mcpAuthRouter as createWebAuthRouter,
+    TooManyRequestsError
+} from '@modelcontextprotocol/server';
 import type { RequestHandler, Response as ExpressResponse } from 'express';
 import express from 'express';
+import { rateLimit } from 'express-rate-limit';
 
 type ExpressRequestLike = IncomingMessage & {
     method: string;
@@ -112,11 +117,23 @@ async function writeWebResponse(res: ExpressResponse, webResponse: Response): Pr
 
 function toHandlerContext(req: ExpressRequestLike): WebHandlerContext {
     return {
-        parsedBody: req.body,
-        clientAddress: req.ip
+        parsedBody: req.body
     };
 }
 
+export type ExpressAuthRateLimitOptions =
+    | false
+    | {
+          /**
+           * Window size in ms (default: 60s)
+           */
+          windowMs?: number;
+          /**
+           * Max requests per window per client (default: 60)
+           */
+          max?: number;
+      };
+
 /**
  * Express router adapter for the Web-standard `mcpAuthRouter` from `@modelcontextprotocol/server`.
  *
@@ -126,12 +143,34 @@ function toHandlerContext(req: ExpressRequestLike): WebHandlerContext {
  * app.use(mcpAuthRouter(...))
  * ```
  */
-export function mcpAuthRouter(options: AuthRouterOptions): RequestHandler {
+export function mcpAuthRouter(options: AuthRouterOptions & { rateLimit?: ExpressAuthRateLimitOptions }): RequestHandler {
     const web = createWebAuthRouter(options);
     const router = express.Router();
 
+    const rateLimitOptions = options.rateLimit;
+    const limiter =
+        rateLimitOptions === false
+            ? undefined
+            : rateLimit({
+                  windowMs: rateLimitOptions?.windowMs ?? 60_000,
+                  max: rateLimitOptions?.max ?? 60,
+                  standardHeaders: true,
+                  legacyHeaders: false,
+                  handler: (_req, res) => {
+                      const err = new TooManyRequestsError('Too many requests');
+                      res.status(429).json(err.toResponseObject());
+                  }
+              });
+
+    const isRateLimitedPath = (path: string): boolean =>
+        path === '/authorize' || path === '/token' || path === '/register' || path === '/revoke';
+
     for (const route of web.routes) {
-        router.all(route.path, async (req, res, next) => {
+        const handlers: RequestHandler[] = [];
+        if (limiter && isRateLimitedPath(route.path)) {
+            handlers.push(limiter);
+        }
+        handlers.push(async (req, res, next) => {
             try {
                 const parsedBodyProvided = (req as ExpressRequestLike).body !== undefined;
                 const webReq = await expressToWebRequest(req as ExpressRequestLike, parsedBodyProvided);
@@ -141,6 +180,7 @@ export function mcpAuthRouter(options: AuthRouterOptions): RequestHandler {
                 next(err);
             }
         });
+        router.all(route.path, ...handlers);
     }
 
     return router;
 
@@ -325,6 +325,36 @@ describe('MCP Auth Router', () => {
             expect(response.status).not.toBe(404);
         });
 
+        it('applies rate limiting to token endpoint (express-rate-limit)', async () => {
+            // Fresh app with a very low rate limit so we can trigger it deterministically
+            const limitedApp = express();
+            const options = {
+                provider: mockProvider,
+                issuerUrl: new URL('https://auth.example.com'),
+                rateLimit: { windowMs: 60_000, max: 1 }
+            } as const;
+            limitedApp.use(mcpAuthRouter(options));
+
+            const first = await supertest(limitedApp).post('/token').type('form').send({
+                client_id: 'valid-client',
+                client_secret: 'valid-secret',
+                grant_type: 'authorization_code',
+                code: 'valid_code',
+                code_verifier: 'valid_verifier'
+            });
+            expect(first.status).not.toBe(404);
+
+            const second = await supertest(limitedApp).post('/token').type('form').send({
+                client_id: 'valid-client',
+                client_secret: 'valid-secret',
+                grant_type: 'authorization_code',
+                code: 'valid_code',
+                code_verifier: 'valid_verifier'
+            });
+            expect(second.status).toBe(429);
+            expect(second.body).toEqual(expect.objectContaining({ error: 'too_many_requests' }));
+        });
+
         it('routes to registration endpoint', async () => {
             const response = await supertest(app)
                 .post('/register')
 
@@ -1,17 +1,12 @@
-import { InvalidClientError, InvalidRequestError, OAuthError, ServerError, TooManyRequestsError } from '@modelcontextprotocol/core';
+import { InvalidClientError, InvalidRequestError, OAuthError, ServerError } from '@modelcontextprotocol/core';
 import * as z from 'zod/v4';
 
 import type { OAuthServerProvider } from '../provider.js';
 import type { WebHandler } from '../web.js';
-import { getClientAddress, getParsedBody, InMemoryRateLimiter, jsonResponse, methodNotAllowedResponse, noStoreHeaders } from '../web.js';
+import { getParsedBody, jsonResponse, methodNotAllowedResponse, noStoreHeaders } from '../web.js';
 
 export type AuthorizationHandlerOptions = {
     provider: OAuthServerProvider;
-    /**
-     * Rate limiting configuration for the authorization endpoint.
-     * Set to false to disable rate limiting for this endpoint.
-     */
-    rateLimit?: Partial<{ windowMs: number; max: number }> | false;
 };
 
 // Parameters that must be validated in order to issue redirects.
@@ -33,36 +28,10 @@ const RequestAuthorizationParamsSchema = z.object({
     resource: z.string().url().optional()
 });
 
-export function authorizationHandler({ provider, rateLimit: rateLimitConfig }: AuthorizationHandlerOptions): WebHandler {
-    const limiter =
-        rateLimitConfig === false
-            ? undefined
-            : new InMemoryRateLimiter({
-                  windowMs: rateLimitConfig?.windowMs ?? 15 * 60 * 1000,
-                  max: rateLimitConfig?.max ?? 100
-              });
-
+export function authorizationHandler({ provider }: AuthorizationHandlerOptions): WebHandler {
     return async (req, ctx) => {
         const noStore = noStoreHeaders();
 
-        // Rate limit by client address where possible (best-effort).
-        if (limiter) {
-            const key = `${getClientAddress(req, ctx) ?? 'global'}:authorize`;
-            const rl = limiter.consume(key);
-            if (!rl.allowed) {
-                return jsonResponse(
-                    new TooManyRequestsError('You have exceeded the rate limit for authorization requests').toResponseObject(),
-                    {
-                        status: 429,
-                        headers: {
-                            ...noStore,
-                            ...(rl.retryAfterSeconds ? { 'Retry-After': String(rl.retryAfterSeconds) } : {})
-                        }
-                    }
-                );
-            }
-        }
-
         if (req.method !== 'GET' && req.method !== 'POST') {
             const resp = methodNotAllowedResponse(req, ['GET', 'POST']);
             const body = await resp.text();
 
@@ -1,26 +1,11 @@
 import crypto from 'node:crypto';
 
 import type { OAuthClientInformationFull } from '@modelcontextprotocol/core';
-import {
-    InvalidClientMetadataError,
-    OAuthClientMetadataSchema,
-    OAuthError,
-    ServerError,
-    TooManyRequestsError
-} from '@modelcontextprotocol/core';
+import { InvalidClientMetadataError, OAuthClientMetadataSchema, OAuthError, ServerError } from '@modelcontextprotocol/core';
 
 import type { OAuthRegisteredClientsStore } from '../clients.js';
 import type { WebHandler } from '../web.js';
-import {
-    corsHeaders,
-    corsPreflightResponse,
-    getClientAddress,
-    getParsedBody,
-    InMemoryRateLimiter,
-    jsonResponse,
-    methodNotAllowedResponse,
-    noStoreHeaders
-} from '../web.js';
+import { corsHeaders, corsPreflightResponse, getParsedBody, jsonResponse, methodNotAllowedResponse, noStoreHeaders } from '../web.js';
 
 export type ClientRegistrationHandlerOptions = {
     /**
@@ -35,13 +20,6 @@ export type ClientRegistrationHandlerOptions = {
      */
     clientSecretExpirySeconds?: number;
 
-    /**
-     * Rate limiting configuration for the client registration endpoint.
-     * Set to false to disable rate limiting for this endpoint.
-     * Registration endpoints are particularly sensitive to abuse and should be rate limited.
-     */
-    rateLimit?: Partial<{ windowMs: number; max: number }> | false;
-
     /**
      * Whether to generate a client ID before calling the client registration endpoint.
      *
@@ -55,21 +33,12 @@ const DEFAULT_CLIENT_SECRET_EXPIRY_SECONDS = 30 * 24 * 60 * 60; // 30 days
 export function clientRegistrationHandler({
     clientsStore,
     clientSecretExpirySeconds = DEFAULT_CLIENT_SECRET_EXPIRY_SECONDS,
-    rateLimit: rateLimitConfig,
     clientIdGeneration = true
 }: ClientRegistrationHandlerOptions): WebHandler {
     if (!clientsStore.registerClient) {
         throw new Error('Client registration store does not support registering clients');
     }
 
-    const limiter =
-        rateLimitConfig === false
-            ? undefined
-            : new InMemoryRateLimiter({
-                  windowMs: rateLimitConfig?.windowMs ?? 60 * 60 * 1000,
-                  max: rateLimitConfig?.max ?? 20
-              });
-
     const cors = {
         allowOrigin: '*',
         allowMethods: ['POST', 'OPTIONS'],
@@ -92,23 +61,6 @@ export function clientRegistrationHandler({
             });
         }
 
-        if (limiter) {
-            const key = `${getClientAddress(req, ctx) ?? 'global'}:register`;
-            const rl = limiter.consume(key);
-            if (!rl.allowed) {
-                return jsonResponse(
-                    new TooManyRequestsError('You have exceeded the rate limit for client registration requests').toResponseObject(),
-                    {
-                        status: 429,
-                        headers: {
-                            ...baseHeaders,
-                            ...(rl.retryAfterSeconds ? { 'Retry-After': String(rl.retryAfterSeconds) } : {})
-                        }
-                    }
-                );
-            }
-        }
-
         try {
             const rawBody = await getParsedBody(req, ctx);
             const parseResult = OAuthClientMetadataSchema.safeParse(rawBody);
 
@@ -1,47 +1,19 @@
-import {
-    InvalidRequestError,
-    OAuthError,
-    OAuthTokenRevocationRequestSchema,
-    ServerError,
-    TooManyRequestsError
-} from '@modelcontextprotocol/core';
+import { InvalidRequestError, OAuthError, OAuthTokenRevocationRequestSchema, ServerError } from '@modelcontextprotocol/core';
 
 import { authenticateClient } from '../middleware/clientAuth.js';
 import type { OAuthServerProvider } from '../provider.js';
 import type { WebHandler } from '../web.js';
-import {
-    corsHeaders,
-    corsPreflightResponse,
-    getClientAddress,
-    getParsedBody,
-    InMemoryRateLimiter,
-    jsonResponse,
-    methodNotAllowedResponse,
-    noStoreHeaders
-} from '../web.js';
+import { corsHeaders, corsPreflightResponse, getParsedBody, jsonResponse, methodNotAllowedResponse, noStoreHeaders } from '../web.js';
 
 export type RevocationHandlerOptions = {
     provider: OAuthServerProvider;
-    /**
-     * Rate limiting configuration for the token revocation endpoint.
-     * Set to false to disable rate limiting for this endpoint.
-     */
-    rateLimit?: Partial<{ windowMs: number; max: number }> | false;
 };
 
-export function revocationHandler({ provider, rateLimit: rateLimitConfig }: RevocationHandlerOptions): WebHandler {
+export function revocationHandler({ provider }: RevocationHandlerOptions): WebHandler {
     if (!provider.revokeToken) {
         throw new Error('Auth provider does not support revoking tokens');
     }
 
-    const limiter =
-        rateLimitConfig === false
-            ? undefined
-            : new InMemoryRateLimiter({
-                  windowMs: rateLimitConfig?.windowMs ?? 15 * 60 * 1000,
-                  max: rateLimitConfig?.max ?? 50
-              });
-
     const cors = {
         allowOrigin: '*',
         allowMethods: ['POST', 'OPTIONS'],
@@ -64,23 +36,6 @@ export function revocationHandler({ provider, rateLimit: rateLimitConfig }: Revo
             });
         }
 
-        if (limiter) {
-            const key = `${getClientAddress(req, ctx) ?? 'global'}:revoke`;
-            const rl = limiter.consume(key);
-            if (!rl.allowed) {
-                return jsonResponse(
-                    new TooManyRequestsError('You have exceeded the rate limit for token revocation requests').toResponseObject(),
-                    {
-                        status: 429,
-                        headers: {
-                            ...baseHeaders,
-                            ...(rl.retryAfterSeconds ? { 'Retry-After': String(rl.retryAfterSeconds) } : {})
-                        }
-                    }
-                );
-            }
-        }
-
         try {
             const rawBody = await getParsedBody(req, ctx);
             const parseResult = OAuthTokenRevocationRequestSchema.safeParse(rawBody);