sherpa-mcp-server

The server utilizes Auth0 OAuth 2.1 with OIDC and PKCE for robust authentication, emphasizing secure defaults and production readiness. It relies heavily on environment variables for sensitive data (API keys, tokens, client secrets), explicitly warning against hardcoding them and providing setup scripts to generate tokens locally for environment variable use. The `AUTH0_SETUP.md` provides comprehensive security best practices including using HTTPS, enabling consent screens, restricting redirect URIs, and monitoring. No 'eval' or similar dangerous patterns were found. While the default `allowed_client_redirect_uris` in the code is broad (`http://localhost:*`), the documentation clearly guides users to configure specific, secure production URLs in Auth0, mitigating this potential risk.