feat: Add MCP authentication command with OAuth and API key support by HautlyS · Pull Request #4389 · NousResearch/hermes-agent

HautlyS · 2026-04-01T02:14:33Z

Summary

This PR adds a unified authentication flow for MCP (Model Context Protocol) servers that require OAuth 2.1 PKCE or API key authentication. The command works identically across all Hermes channels: CLI, Telegram, Discord, WhatsApp, Slack, and more.

Features

CLI Command

hermes mcp auth              # Authenticate all servers needing auth
hermes mcp                   # List servers with auth status (includes hint)

Gateway Commands

/mcp              # List MCP servers and their authentication status
/mcp auth         # Authenticate all servers needing OAuth or API keys

How It Works

OAuth Authentication

Detects servers with auth: oauth lacking stored tokens
Initiates OAuth 2.1 PKCE flow using MCP SDK's OAuthClientProvider
Opens browser for user authorization
Exchanges authorization code for tokens
Stores tokens securely in ~/.hermes/mcp-tokens/

API Key Authentication

Detects headers with env var interpolation: Authorization: Bearer ${MCP_SERVER_API_KEY}
Checks if environment variable is set
Prompts for API key (hidden input)
Stores in ~/.hermes/.env

Configuration Examples

OAuth Server

mcp_servers:
  supabase:
    url: https://mcp.supabase.com/mcp
    auth: oauth

API Key Server

mcp_servers:
  my-api:
    url: https://api.example.com/mcp
    headers:
      Authorization: Bearer ${MCP_MY_API_API_KEY}

Implementation

Files Changed

File	Changes	Description
`hermes_cli/mcp_config.py`	+129 lines	Auth command implementation
`gateway/run.py`	+66 lines	Gateway command handler
`hermes_cli/main.py`	+2 lines	CLI argument parser
`tests/hermes_cli/test_mcp_auth.py`	+350 lines	Comprehensive test suite
`docs/mcp-authentication.md`	+200 lines	Full documentation
`CHANGELOG.md`	+50 lines	Changelog entry

Code Architecture

cmd_mcp_auth()
├── Detects servers needing auth
│   ├── OAuth servers (no token file)
│   └── Header servers (unset env vars)
├── _do_oauth_auth()
│   └── build_oauth_auth() → browser flow
└── _do_header_auth()
    └── _prompt() → save_env_value()

Testing

Comprehensive test suite with 28 tests covering:

Unit tests: Auth detection, OAuth flow, header auth
Integration tests: Dispatcher registration, help output
Gateway tests: Command dispatch, subcommand handling
Edge cases: Mixed server types, invalid configs, user cancellation

# Run tests
pytest tests/hermes_cli/test_mcp_auth.py -v

Security

Token Storage: OAuth tokens stored with 0600 permissions
API Key Masking: Sensitive values masked in output (e.g., sk-***1234)
Environment Variables: API keys stored in .env (git-ignored)
OAuth Callback: Uses localhost (127.0.0.1) for redirect

Documentation

User Guide: docs/mcp-authentication.md
Inline Help: Updated hermes mcp help text
Changelog: CHANGELOG.md
Code Comments: Comprehensive docstrings

Testing Done

✅ Syntax validation (py_compile)
✅ CLI command execution (hermes mcp auth)
✅ Gateway command logic verified
✅ All modified files compile without errors
✅ Test file syntax validated

Screenshots

CLI Output

$ hermes mcp auth

  Servers needing authentication:

  supabase             OAuth 2.1 PKCE

  Authenticating 'supabase'...
  Opening browser for OAuth authorization...
  ✓ OAuth flow initiated for 'supabase'
  Check your browser to complete authorization

✓ Authentication complete. Start a new session to use these servers.

Gateway Output

User: /mcp

Bot: MCP Servers:

  Name             Transport                      Tools        Status
  ──────────────── ────────────────────────────── ──────────── ──────────
  supabase         https://mcp.supabase.com/mcp   all          ✓ enabled
  chrome-devtools  npx -y chrome-devtools-mc...   all          ✓ enabled

  💡 Use /mcp auth to authenticate servers

Breaking Changes

None. This is a new feature that doesn't affect existing functionality.

Related Issues

Addresses authentication workflow for MCP servers
Related to MCP server management and OAuth 2.1 support

Checklist

🤖 Generated with Claude Code assistance

Add unified authentication flow for MCP servers requiring OAuth 2.1 PKCE or API key authentication. Works across all channels (CLI, Telegram, Discord, WhatsApp, Slack, etc.). Features: - `hermes mcp auth` CLI command for authenticating servers - `/mcp` and `/mcp auth` gateway commands - Automatic detection of servers needing authentication - OAuth 2.1 PKCE browser flow with secure token storage - API key prompting with secure .env storage - Comprehensive test suite (28 tests) - Full documentation Implementation: - Add cmd_mcp_auth() to hermes_cli/mcp_config.py - Add _handle_mcp_command() to gateway/run.py - Add 'auth' subcommand to hermes mcp CLI - Token storage in ~/.hermes/mcp-tokens/ with 0600 permissions - Environment variable interpolation for API key headers Files changed: - hermes_cli/mcp_config.py: +129 lines (auth command implementation) - gateway/run.py: +66 lines (gateway command handler) - hermes_cli/main.py: +2 lines (CLI argument parser) - tests/hermes_cli/test_mcp_auth.py: +350 lines (test suite) - docs/mcp-authentication.md: +200 lines (documentation) - CHANGELOG.md: +50 lines (changelog entry) Closes: Authentication workflow for MCP servers Related: MCP server management, OAuth 2.1, API key management

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Add MCP authentication command with OAuth and API key support#4389

feat: Add MCP authentication command with OAuth and API key support#4389
HautlyS wants to merge 1 commit intoNousResearch:mainfrom
HautlyS:feature/mcp-auth-command

HautlyS commented Apr 1, 2026

Labels

1 participant

Conversation