Authentication guides
Everything about authenticating mcptest to a protected MCP server lives in this directory. The guiding rule across all five pages: secrets never live in the YAML. A suite names an environment variable; mcptest resolves it at run time and redacts it from every reporter.
Route by the task in front of you:
| You want to | Read |
|---|---|
| Log in to an OAuth-protected server for the first time, or pick the right auth shape for a transport (bearer, OAuth, custom headers) | Authentication, the authoritative reference for the whole auth surface |
| Understand how cached tokens are refreshed, where the token cache lives on disk, and what happens on a 401 | OAuth access token auto-refresh |
Wire auth into a test suite's YAML (auth: blocks, bearer_token_env, per-server credentials in multi-server suites) | Auth in tests |
| Score a server against the spec's auth-hardening checks (issuer binding, DCR, token audience) | Auth-hardening conformance |
| Authenticate from CI, a coding agent, or any environment with no browser | Headless auth |
If you are not sure where to start, start with Authentication; its decision tree routes you by transport and deployment, and it links the other four pages where they go deeper.
Related, outside this directory: URL targets for pointing a suite at an HTTP server in the first place, and secret redaction for how reporters keep resolved credentials out of logs.