chore(keycardai-mcp): rename and test verifier

Author: kamil-keycard

justfile

@@ -9,11 +9,8 @@ build:
 
 # Run tests for all packages
 test: build
-    just test-oauth
-
-# Run tests for OAuth package
-test-oauth:
-    cd packages/oauth && uv run --extra test pytest tests/ -v
+    just test-package oauth
+    just test-package mcp
 
 # Run tests for a specific package
 test-package PACKAGE:

packages/mcp/pyproject.toml

@@ -8,7 +8,7 @@ license = { text = "MIT" }
 authors = [{ name = "KeyCard AI", email = "support@keycard.ai" }]
 dependencies = [
     "keycardai-oauth",
-    "mcp>=1.13.1",
+    "mcp==1.14.0",
     "pydantic>=2.11.7",
 ]
 keywords = ["mcp", "model-context-protocol", "authentication", "authorization", "ai", "llm"]
@@ -28,6 +28,13 @@ classifiers = [
     "License :: OSI Approved :: MIT License",
 ]
 
+[project.optional-dependencies]
+test = [
+    "pytest>=8.4.1",
+    "pytest-asyncio>=1.1.0",
+    "pytest-cov>=6.2.1",
+]
+
 [project.urls]
 Homepage = "https://github.com/keycardai/python-sdk"
 Repository = "https://github.com/keycardai/python-sdk"

packages/mcp/src/keycardai/mcp/server/auth/__init__.py

@@ -1,4 +1,4 @@
-from .provider import AccessContext, KeycardAuthProvider
-from .verifier import KeycardTokenVerifier
+from .provider import AccessContext, AuthProvider
+from .verifier import TokenVerifier
 
-__all__ = ["KeycardAuthProvider", "AccessContext", "KeycardTokenVerifier"]
+__all__ = ["AuthProvider", "AccessContext", "TokenVerifier"]

packages/mcp/src/keycardai/mcp/server/auth/provider.py

@@ -11,7 +11,7 @@
 from keycardai.oauth import AsyncClient, AuthStrategy, Client, ClientConfig, NoneAuth
 from keycardai.oauth.types.models import TokenResponse
 
-from .verifier import KeycardTokenVerifier
+from .verifier import TokenVerifier
 
 
 class AccessContext:
@@ -41,17 +41,17 @@ def access(self, resource: str) -> TokenResponse:
             raise KeyError(f"Resource '{resource}' not granted. Available resources: {list(self._access_tokens.keys())}")
         return self._access_tokens[resource]
 
-class KeycardAuthProvider:
+class AuthProvider:
     """KeyCard authentication provider with token exchange capabilities.
 
     This provider handles both authentication (token verification) and authorization
     (token exchange for resource access) in MCP servers.
 
     Example:
         ```python
-        from keycardai.mcp.server import KeycardAuthProvider
+        from keycardai.mcp.server import AuthProvider
 
-        provider = KeycardAuthProvider(
+        provider = AuthProvider(
             zone_url="https://abc1234.keycard.cloud",
             mcp_server_name="My MCP Server"
         )
@@ -68,7 +68,6 @@ def __init__(self,
         mcp_server_name: str | None = None,
         required_scopes: list[str] | None = None,
         mcp_server_url: AnyHttpUrl | str | None = None,
-        client_name: str | None = None,
         auth: AuthStrategy = NoneAuth):
         """Initialize the KeyCard auth provider.
 
@@ -77,13 +76,13 @@ def __init__(self,
             mcp_server_name: Human-readable name for the MCP server
             required_scopes: Required scopes for token validation
             mcp_server_url: Resource server URL (defaults to server URL)
-            client_name: OAuth client name for registration (defaults to mcp_server_name)
+            auth: Authentication strategy for OAuth operations
         """
         self.zone_url = zone_url
         self.mcp_server_name = mcp_server_name
         self.required_scopes = required_scopes
         self.mcp_server_url = mcp_server_url
-        self.client_name = client_name or mcp_server_name or "MCP Server OAuth Client"
+        self.client_name = mcp_server_name or "MCP Server OAuth Client"
 
         self._client: AsyncClient | None = None
         self._init_lock: asyncio.Lock | None = None
@@ -135,11 +134,11 @@ def get_auth_settings(self) -> AuthSettings:
             }
         )
 
-    def get_token_verifier(self) -> KeycardTokenVerifier:
+    def get_token_verifier(self) -> TokenVerifier:
         """Get a token verifier for the MCP server."""
         with Client(self.zone_url) as client:
             jwks_uri = client.discover_server_metadata().jwks_uri
-        return KeycardTokenVerifier(
+        return TokenVerifier(
             required_scopes=self.required_scopes,
             issuer=self.zone_url,
             jwks_uri=jwks_uri,

packages/mcp/src/keycardai/mcp/server/auth/verifier.py

@@ -2,7 +2,6 @@
 from typing import Any
 
 from mcp.server.auth.provider import AccessToken
-from mcp.server.auth.settings import AuthSettings
 
 from keycardai.oauth.utils.jwt import (
     get_header,
@@ -13,12 +12,12 @@
 from ._cache import JWKSCache, JWKSKey
 
 
-class KeycardTokenVerifier:
+class TokenVerifier:
     """Token verifier for KeyCard zone-issued tokens."""
 
     def __init__(
         self,
-        issuer: str | None = None,
+        issuer: str,
         required_scopes: list[str] | None = None,
         jwks_uri: str | None = None,
         allowed_algorithms: list[str] = None,
@@ -27,12 +26,14 @@ def __init__(
         """Initialize the KeyCard token verifier.
 
         Args:
-            issuer: Expected token issuer
+            issuer: Expected token issuer (required)
             required_scopes: Required scopes for token validation
             jwks_uri: JWKS endpoint URL for key fetching
             allowed_algorithms: JWT algorithms (default RS256)
             cache_ttl: JWKS cache TTL in seconds (default 300 = 5 minutes)
         """
+        if not issuer:
+            raise ValueError("Issuer is required for token verification")
         if allowed_algorithms is None:
             allowed_algorithms = ["RS256"]
         self.issuer = issuer
@@ -61,7 +62,10 @@ async def _get_verification_key(self, token: str) -> JWKSKey:
         verification_key = await get_verification_key(token, self.jwks_uri)
 
         self._jwks_cache.set_key(kid, verification_key, algorithm)
-        return self._jwks_cache.get_key(kid)
+        cached_key = self._jwks_cache.get_key(kid)
+        if cached_key is None:
+            raise ValueError("Failed to cache verification key")
+        return cached_key
 
     def clear_cache(self) -> None:
         """Clear the JWKS key cache."""
@@ -105,7 +109,7 @@ async def verify_token(self, token: str) -> AccessToken | None:
             if jwt_access_token.exp < time.time():
                 return None
 
-            if self.issuer and jwt_access_token.iss != self.issuer:
+            if jwt_access_token.iss != self.issuer:
                 return None
 
             if self.required_scopes:
@@ -132,17 +136,3 @@ async def verify_token(self, token: str) -> AccessToken | None:
         except Exception:
             return None
 
-
-def get_token_verifier(auth_settings: AuthSettings) -> KeycardTokenVerifier:
-    """Get a token verifier for the MCP server.
-
-    Creates a token verifier with JWKS support for cryptographic signature verification
-    and configurable key caching.
-    """
-    return KeycardTokenVerifier(
-        required_scopes=auth_settings.required_scopes,
-        issuer=str(auth_settings.issuer_url).rstrip("/"),
-        jwks_uri=getattr(auth_settings, "jwks_uri", None),
-        algorithm=getattr(auth_settings, "algorithm", "RS256"),
-        cache_ttl=getattr(auth_settings, "cache_ttl", 300),
-    )