Connecting with an MCP client

Once your server is running, you can connect to it using an MCP client that supports MCP Authorization. The client will handle the authentication flow automatically:

Make an initial request without authentication
Receive a 401 response with resource metadata
Complete the OAuth flow with Prefactor
Make authenticated requests with a bearer token

The server is configured with CORS support, so it works with browser-based tools and local clients.

Using MCP Inspector

MCP Inspector is a developer tool for testing and debugging MCP servers. It’s good for making sure everything is working. Start it using PNPM:

pnpm dlx @modelcontextprotocol/inspector

This will launch the MCP Inspector UI at http://localhost:6274. It should also open it in your browser, but if it doesn’t you can click the link. From there:

Select HTTP as the transport method
Enter your server URL: http://localhost:3000/mcp and click “Connect”. You don’t need to enter anything in the “Authentication” section.
The inspector will forward you to Prefactor to complete authentication. Note that if this is the first time you’re authenticating, then no users will be registered yet. Choose the option to sign up. (Don’t use your admin login details here, this is a different user database.)
Once authenticated, go to the “Tools” area and click “List tools”. If this succeeds, everything is working.

Available tools

The demo includes two example tools you can test:

add: This tool adds two numbers together.
whoami: This tool returns information about the authenticated user.

Understanding the authentication flow

MCP Inspector provides a great way to see the MCP Authorization flow in action. To walk through it step by step, you’ll need to start fresh and use the “Guided OAuth Flow” in the Authentication Settings. Note that this is different to the “Authentication” configuration area on the left hand side.

Clearing the OAuth state

If you’ve already connected to the server, you’ll need to clear the authentication state first:

In MCP Inspector, disconnect from the server if you’re currently connected
Clear the OAuth state by clicking “Open Auth Settings” in the main content area, then “Clear OAuth State”
This ensures you’ll see the full authentication flow from the beginning

Stay on this screen for the rest of this section. In the OAuth Flow Progress area, you’ll see several steps. To progress from one step to the next, click “Continue”.

Step 1: Metadata Discovery

The Inspector makes an initial request to your server. Your server responds with a 401 Unauthorized status and a WWW-Authenticate header pointing to the resource metadata endpoint. The Inspector then fetches the resource metadata from /.well-known/oauth-protected-resource/mcp, which contains the authorization server URL (your Prefactor instance) and the resource identifier.

Step 2: Client Registration

The Inspector registers itself as a new OAuth client with Prefactor using dynamic client registration. This gives the Inspector the client ID and client secret it needs to proceed with the authorization flow.

Step 3: Preparing Authorization

The Inspector prepares the authorization request, setting up the parameters needed for the OAuth authorization code flow. This includes generating a code challenge for PKCE (Proof Key for Code Exchange) if required. To continue from this point you’ll need to click the link.

This will take you through the Prefactor login process you saw previously. However, at the end you’ll be presented with a screen containing an authorization code. Copy this code, ready for the next step.

Step 4: Request Authorization and acquire authorization code

Paste in the code you code in the previous step, and continue.

Step 5: Token Request

The Inspector exchanges the authorization code for an access token by making a request to Prefactor’s token endpoint. This is where the authorization code is swapped for the actual bearer token that will be used in subsequent requests.

Step 6: Authentication Complete

Once the Inspector has the bearer token, authentication is complete. The Inspector will now include the bearer token in the Authorization header of all requests to your server. Your server validates this token using Prefactor’s token introspection endpoint.

What you’ve seen

This flow demonstrates the key aspects of MCP Authorization:

The server doesn’t need to know about the client beforehand
Authentication is handled through standard OAuth flows
The client manages tokens and includes them in requests
Your server validates tokens with Prefactor

The authentication usually happens transparently, but Inspector lets you see each step of the process.

If you want to connect again, use the “Clear OAuth State” button and then connect normally.

Other clients

The demo server works with any MCP client that supports HTTP transport and MCP Authorization. Configuration varies by client, so refer to your client’s documentation for the exact steps. Generally, you’ll need to:

Configure the server URL: http://localhost:3000/mcp
Set the transport type to HTTP
Let the client handle the MCP Authorization flow automatically

Cursor

Open “File > Preferences > Cursor Settings > Tools & MCP”. Click “New MCP server” — you’ll be taken to the mcp.json file. Insert the following under mcpServers:

"mcp-prefactor-demo": {
  "url": "http://localhost:3000/mcp"
},

VS Code

Open the Command Palette (via the menu this is “View > Command Palette…”). Search for “MCP: Add Server…” and follow the prompts. This will add it to your mcp.json and start the authentication flow.

Claude Code

claude mcp add --transport http mcp-prefactor-demo http://localhost:3000/mcp

You can then initiate authentication by running the /mcp command and following the prompts.

Claude Desktop and Web

Claude Desktop and Web can’t currently connect to servers running locally. Tools like ngrok can be used as a proxy if required, but that’s outside the scope of this documentation.