Skip to content
Prefactor Docs

What's happening under the hood

When you run the demo server, several things happen behind the scenes to handle MCP Authorization and process requests.

Server architecture

Section titled “Server architecture”

The demo server runs in stateless mode, which means:

  • A new transport and server instance is created for each request
  • This ensures complete isolation between concurrent clients
  • No shared state between requests

This approach makes the server more scalable and easier to reason about, though it does create some overhead for each request. In a production scenario, caching might be used on some of the token-checking steps to improve performance.

Authentication flow

Section titled “Authentication flow”

The server implements MCP Authorization using the following components:

Resource metadata endpoint

Section titled “Resource metadata endpoint”

The server exposes resource metadata at /.well-known/oauth-protected-resource/mcp. This endpoint provides information about:

  • The authorization server (your Prefactor instance)
  • The resource identifier (the MCP server URL)

When an MCP client first connects without authentication, the server responds with a 401 status and points to this metadata endpoint in the WWW-Authenticate header.

Token validation

Section titled “Token validation”

When a client makes an authenticated request with a bearer token, the server:

  • Extracts the bearer token from the Authorization header
  • Validates the token using Prefactor’s token introspection endpoint
  • Verifies the token is current and was issued for the correct resource
  • Extracts user information from the validated token

The authentication middleware handles all of this automatically, so your tools receive requests with validated user context.

Request processing

Section titled “Request processing”

Once authenticated, requests are processed as standard MCP JSON-RPC calls:

  • Requests arrive at /mcp as HTTP POST requests
  • The server parses the JSON-RPC payload
  • Tools are invoked with the provided arguments
  • Responses are returned in JSON-RPC format

CORS support

Section titled “CORS support”

The server includes CORS (Cross-Origin Resource Sharing) support, which allows:

  • Browser-based tools like MCP Inspector to connect
  • Web applications to make requests from different origins
  • Development and testing workflows to work smoothly

This is important because MCP Inspector runs in a browser and needs to make cross-origin requests to your local server.