Documentation Index
Fetch the complete documentation index at: https://docs.kontext.security/llms.txt
Use this file to discover all available pages before exploring further.
Kontext
import { Kontext } from "@kontext-dev/js-sdk/server";
const kontext = new Kontext({ clientId: "mcp_your-server" });
app.use(kontext.middleware(() => createServer()));
Kontext class is the entry point for the server SDK. See Server SDK for the full usage guide.
KontextOptions
Configuration for the Kontext constructor.
interface KontextOptions {
clientId: string;
apiUrl?: string;
clientSecret?: string;
tokenIssuer?: string | string[];
}
| Option | Type | Default | Description |
|---|
clientId | string | — | Your MCP server’s OAuth client ID. |
apiUrl | string? | "https://api.kontext.security" | Kontext API base URL. |
clientSecret | string? | KONTEXT_CLIENT_SECRET env | Client secret for server-side token exchange. |
tokenIssuer | string | string[]? | KONTEXT_TOKEN_ISSUER env | Expected token issuer(s) for verification. |
MiddlewareOptions
Options passed to kontext.middleware().
interface MiddlewareOptions {
mcpPath?: string;
resourceServerUrl?: string;
dangerouslyOmitAuth?: boolean;
verifier?: OAuthTokenVerifier;
metadataTransform?: (metadata: OAuthMetadata) => OAuthMetadata;
onSessionInitialized?: (sessionId: string, authInfo?: AuthInfo, transport?: StreamableHTTPServerTransport) => void;
onSessionClosed?: (sessionId: string) => void;
bodyLimit?: string | number;
}
| Option | Type | Default | Description |
|---|
mcpPath | string? | "/mcp" | Path for the MCP transport endpoint. |
resourceServerUrl | string? | Auto-detected | Public URL of your server. Required when behind a reverse proxy. |
dangerouslyOmitAuth | boolean? | false | Skip token verification. Development only. |
verifier | OAuthTokenVerifier? | Built-in JWKS | Custom token verification logic. |
metadataTransform | (metadata) => metadata | — | Rewrite OAuth metadata URLs for proxy/gateway setups. |
onSessionInitialized | (sessionId, authInfo, transport) => void | — | Called when a new MCP session starts. |
onSessionClosed | (sessionId) => void | — | Called when a session disconnects. |
bodyLimit | string | number? | "1mb" | Maximum request body size. |
Methods
kontext.require()
Exchange either a Kontext user access token or a known external end-user ID for an integration credential.
kontext.require(integration: string, token: string): Promise<IntegrationCredential>
kontext.require(integration: string, options: { userId: string }): Promise<IntegrationCredential>
token overload when your MCP handler already has the authenticated user’s Kontext access token.
Use the { userId } overload when your confidential server has external-auth mappings configured and already knows the caller’s external subject ID. This is the hard-cutover path for credential vault and shared server_token integrations.
Both overloads throw IntegrationConnectionRequiredError when the integration is not connected. In { userId } mode, the error does not include a connectUrl because the SDK does not have a bearer token it can use to create a user-facing connect session. See Credentials.
kontext.requireCredentials()
Resolve per-user credentials for internal integrations that use credential schemas instead of OAuth.
kontext.requireCredentials(integration: string, token: string): Promise<IntegrationResolvedCredentials>
kontext.middleware()
Create an Express router with OAuth metadata, MCP transport, and authentication.
kontext.middleware(server: McpServer | (() => McpServer), options?: MiddlewareOptions): Router
() => McpServer for concurrent session support. See Middleware.
kontext.destroy()
Clean up sessions and resources. Call this on shutdown in serverless environments.
kontext.destroy(): Promise<void>
IntegrationCredential
Returned by kontext.require().
interface IntegrationCredential {
accessToken: string;
tokenType: string;
authorization: string;
expiresIn?: number;
scope?: string;
integration: string;
}
| Field | Type | Description |
|---|
accessToken | string | Raw access token for the integration. |
tokenType | string | Token type, typically "Bearer". |
authorization | string | Pre-formatted header value ("Bearer <token>"). Pass directly to Authorization. |
expiresIn | number? | Seconds until the token expires. |
scope | string? | Scopes granted by the integration. |
integration | string | Integration name this credential was issued for. |
IntegrationResolvedCredentials
Returned by kontext.requireCredentials().
interface IntegrationResolvedCredentials {
integration: string;
integrationId: string;
credentials: Record<string, string>;
}
credentials map contains key-value pairs defined by the integration’s credential schema.
