neilberkman
Attesto - OpenID-certified OAuth 2.1 / OpenID Connect for Elixir (Phoenix provider, client, and MCP auth)
Hi all - I’ve been building Attesto, a set of libraries that brings certified OAuth 2.1 and OpenID Connect to Elixir, whether you want to be an identity provider, talk to one, or put OAuth in front of an MCP server.
It’s OpenID Certified, including FAPI 2.0 (Security Profile and Message Signing), the bank-grade profile behind open banking. As far as I can tell from the OpenID Foundation’s directory, that makes it the first Elixir provider certified for FAPI 2.0. The certs also cover OpenID Connect Basic and Config, all three Logout profiles, Session Management, and FAPI-CIBA, and they run against the Foundation’s conformance suite rather than being self-asserted.
For Phoenix apps, attesto_phoenix is a drop-in authorization server: /authorize, /token, PAR, DPoP, mTLS, PKCE - backed by your own Ecto schemas. You keep your login and consent screens, it handles the protocol.
On the MCP side, the spec now has servers act as OAuth 2.1 resource servers, and attesto_mcp handles that boundary. It protects your /mcp endpoint, publishes the RFC 9728 metadata that lets Claude, ChatGPT, and other MCP clients discover how to authorize, verifies Bearer/DPoP/mTLS tokens locally, and enforces scopes before a request reaches your tools. It drops straight into Anubis, or any Plug/Phoenix MCP server.
If you’re on the client side, attesto_client covers the relying-party work: discovery, JWKS, ID-token and JARM verification, request objects, private_key_jwt.
All of it sits on a small conn-free core with no Phoenix or Ecto assumptions, so you can build on that directly if you’re on a different stack.
Everything’s on Hex with docs, and I’d welcome feedback, especially from anyone doing OAuth for MCP.
Hex: attesto · attesto_phoenix · attesto_client · attesto_mcp
Popular in Announcing
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









