Alpic supports both public and OAuth protected MCP servers. Servers deployed on Alpic are public by default. You can check at any time whether your server environment is public or protected from the Settings tab in your project page. If you’d like to protect your MCP server using OAuth, use the following instructions.
Alpic supports OAuth 2.1 DCR. If you’re not using an OAuth 2.1 IdP with DCR, you can rely on Alpic’s Dynamic Client Registration proxy to handle the complexity associated with multiple OAuth clients registering to use your IdP.

Protect your MCP server with OAuth

Using an OAuth 2.1 compatible Identity Providers (IdP)

If you’re already using an OAuth 2.1 identity provider with Dynamic Client Registration (DCR), you simply need to configure your MCP server to advertise your IdP through OAuth metadata endpoints. The easiest way to do so is to rely on existing SDK helpers to provide such configuration on your server: 
import { mcpAuthMetadataRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";

//...

app.use(
  mcpAuthMetadataRouter({
    oauthMetadata: {
      authorization_endpoint: "https://my-idp.com/oauth2/authorize",
      token_endpoint: "https://my-idp.com/oauth2/token",
      registration_endpoint: "https://my-idp.com/oauth2/register",
      response_types_supported: ["code"],
      issuer: "http://localhost:3000",
    },
    resourceServerUrl: new URL("http://localhost:3000"),
  })
);

app.listen(3000);
After deploying a new version of your MCP server on Alpic with such a configuration, you should see your server as protected in the Settings tab of your project page.

Using an OAuth 2.0 compatible Identity Provider (IdP)

If you’re not using an OAuth 2.1 IdP with DCR, you can rely on Alpic’s Dynamic Client Registration proxy to handle the complexity associated with multiple OAuth clients registering to use your IdP. In order to leverage Alpic’s DCR proxy feature, you should configure your MCP server to advertise your IdP through OAuth metadata endpoints without mentioning a registration_endpoint property. The easiest way to do so is to rely on existing SDK helpers to provide such configuration on your server: 
import { mcpAuthMetadataRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";

//...

app.use(
  mcpAuthMetadataRouter({
    oauthMetadata: {
      authorization_endpoint: "https://my-idp.com/oauth2/authorize",
      token_endpoint: "https://my-idp.com/oauth2/token",
      response_types_supported: ["code"],
      issuer: "http://localhost:3000",
    },
    resourceServerUrl: new URL("http://localhost:3000"),
  })
);

app.listen(3000);
After deploying a new version of your MCP server on Alpic with such a configuration, check that your server is protected in the Settings tab of your project page. You’ll also see an option to activate Alpic DCR. In order to activate DCR, you should create a single OAuth client on your IdP. This client will be the one proxied by Alpic for every request users make to identify on your MCP server. Make sure to choose a generic enough name in case it’s displayed during the authentication process. The callback URL to use for this client is specified by Alpic when activating DCR. Please fill-in the activation form with newly created OAuth client ID, secret and scopes to complete the DCR proxy setup.

Protect your MCP server with API Key

Alpic also supports API key Authentication via the x-api-key header. You can get the value of the api key headers in your tool callback via the extra parameters: 

server.tool(
    "greet",
    "A simple greeting tool",
    {
      name: z.string().describe("Name to greet"),
    },
    async (
      args: { name: string },
      extra: RequestHandlerExtra<ServerRequest, ServerNotification>,
    ): Promise<CallToolResult> => {
      const apiKey = extra.requestInfo?.headers["x-api-key"];
      if (!apiKey) {
        return {
          content: [
            isError: true,
            {
              type: "text",
              text: `You need to have a valid api key to use this tool.`,
            },
          ],
        };
      }
      const yourApiClient = new yourApiClient(apiKey);
      const yourApiResponse = await yourApiClient.greet(name);
      return {
        content: [
          {
            type: "text",
            text: `${yourApiResponse}`,
          },
        ],
      };
    },
  );
You can then instruct your users to add this custom headers when adding your MCP server to their MCP Client. 
{
  "mcpServers": {
    "yourMcpServer": {
      "url": "https://your-mcp-server.alpic.live",
      "headers": {
        "x-api-key": "<USER_API_KEY>"
      }
    }
  }
}