{"id":35094258,"url":"https://github.com/stainless-api/mcp-front","last_synced_at":"2026-01-23T17:51:15.286Z","repository":{"id":296097068,"uuid":"992277121","full_name":"stainless-api/mcp-front","owner":"stainless-api","description":"Auth proxy for Model Context Protocol servers - adds authentication to MCP tools for Claude.ai, Claude Code, Cursor, Gemini","archived":false,"fork":false,"pushed_at":"2025-12-02T00:37:46.000Z","size":6416,"stargazers_count":34,"open_issues_count":5,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-01-14T23:02:35.204Z","etag":null,"topics":["auth","claude","claude-code","mcp","proxy"],"latest_commit_sha":null,"homepage":"https://stainless-api.github.io/mcp-front/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stainless-api.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-05-28T22:39:34.000Z","updated_at":"2026-01-09T09:36:42.000Z","dependencies_parsed_at":"2025-07-01T09:33:35.876Z","dependency_job_id":"895f02e9-6f14-4cd5-b534-39348187f40f","html_url":"https://github.com/stainless-api/mcp-front","commit_stats":null,"previous_names":["dgellow/mcp-front","stainless-api/mcp-front"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/stainless-api/mcp-front","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stainless-api%2Fmcp-front","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stainless-api%2Fmcp-front/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stainless-api%2Fmcp-front/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stainless-api%2Fmcp-front/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stainless-api","download_url":"https://codeload.github.com/stainless-api/mcp-front/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stainless-api%2Fmcp-front/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28697349,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-23T17:25:48.045Z","status":"ssl_error","status_checked_at":"2026-01-23T17:25:47.153Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","claude","claude-code","mcp","proxy"],"created_at":"2025-12-27T15:04:24.314Z","updated_at":"2026-01-23T17:51:15.277Z","avatar_url":"https://github.com/stainless-api.png","language":"Go","funding_links":[],"categories":["📚 Projects (1974 total)"],"sub_categories":["MCP Servers"],"readme":"# mcp-front \u003cimg src=\"docs-site/src/assets/logo.svg\" alt=\"MCP Front\" width=\"32\" height=\"32\" style=\"vertical-align: middle;\"\u003e\n\n![Docker image with tag latest](https://img.shields.io/docker/image-size/dgellow/mcp-front/latest?style=flat\u0026logo=docker\u0026label=latest)\n![Docker image with tag docker-client-latest](https://img.shields.io/docker/image-size/dgellow/mcp-front/docker-client-latest?style=flat\u0026logo=docker\u0026label=docker-client-latest)\n\n\u003e [!WARNING]\n\u003e **This project is a work in progress and should not be considered production ready.**\n\u003e\n\u003e Though I'm fairly confident the overall architecture is sound, and I myself rely on the implementation — so it _should work :tm:_.\n\u003e But definitely alpha software.\n\u003e\n\u003e **Expect breaking changes! :)**\n\u003e\n\u003e Also, don't rely too much on the docs, they drift fairly quickly, I do not always keep them updated when doing changes or adding/removing features. They are mostly here to anchor me and help me stay focus on my initial vision.\n\n\u003e [!TIP]\n\u003e Looking for the easiest way to get an MCP server for your API? Check out [Stainless](https://www.stainless.com/mcp?utm=mcp-front-readme)✨. We offer best-in-class SDK and MCP generation. Build a complete MCP server and [publish it to Cloudflare and Docker Hub](https://www.stainless.com/docs/guides/generate-mcp-server-from-openapi?utm=mcp-front-readme) in a few minutes!\n\u003e\n\u003e \u003csub\u003eDisclaimer: the author of mcp-front is an early Stainless employee\u003c/sub\u003e\n\n\nAn authentication gateway for [MCP (Model Context Protocol)](https://modelcontextprotocol.io/introduction) servers. Let your team use Claude with internal databases, APIs, and tools without exposing them to the internet.\n\n\u003cdiv align=\"center\"\u003e\n\n![mcp-front Architecture](docs/architecture.svg)\n\n\u003c/div\u003e\n\n## The problem\n\nYou want your team to use Claude with internal MCP servers (databases, Linear, Notion, internal APIs). But MCP servers don't have built-in multi-user authentication. You either expose them to the public internet, build authentication yourself, or run separate instances per user. None of these are great.\n\n## The solution\n\nmcp-front sits between Claude and your MCP servers as an authentication gateway. Your team authenticates with Google once. When Claude connects, mcp-front validates the OAuth token, checks the user is from your organization, and proxies to the actual MCP server in your secure environment.\n\nFor stdio servers, each user gets an isolated subprocess. For services that need individual API keys (Notion, Linear), users connect them once through a web UI and mcp-front injects tokens automatically.\n\nOrganization-wide access control with per-user isolation. No modifications to your MCP servers. Nothing exposed to the internet.\n\n## How it works\n\n1. User adds `https://your-domain.com/\u003cservice\u003e/sse` to Claude\n2. Claude redirects to Google for login (first time only)\n3. mcp-front validates the user is from your organization\n4. If the service needs a user API key (Notion, Linear), user connects it through a web page\n5. mcp-front proxies all MCP requests to the backend server\n\nEach stdio server gets its own isolated subprocess per user. OAuth tokens are scoped to specific services (RFC 8707) — a token for your Postgres server won't work for Linear.\n\n## Try it locally (5 minutes)\n\nTest with bearer tokens before setting up OAuth:\n\n```json\n{\n  \"version\": \"v0.0.1-DEV_EDITION_EXPECT_CHANGES\",\n  \"proxy\": {\n    \"addr\": \":8080\"\n  },\n  \"mcpServers\": {\n    \"filesystem\": {\n      \"transportType\": \"stdio\",\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"@modelcontextprotocol/server-filesystem\", \"/tmp\"],\n      \"serviceAuths\": [\n        {\n          \"type\": \"bearer\",\n          \"tokens\": [\"dev-token-123\"]\n        }\n      ]\n    }\n  }\n}\n```\n\n```bash\n# Run it\ndocker run -p 8080:8080 -v $(pwd)/config.json:/app/config.json dgellow/mcp-front:latest\n\n# In Claude.ai settings, add this MCP server:\n# URL: http://localhost:8080/filesystem/sse\n# Auth: Bearer Token\n# Token: dev-token-123\n```\n\n## Production setup\n\nFor organization-wide deployment with OAuth, domain restrictions, and Firestore persistence:\n\n**[→ Full production setup guide](https://stainless-api.github.io/mcp-front/examples/oauth-google/)**\n\nThe guide covers:\n- Setting up Google OAuth (Cloud Console configuration)\n- Environment variables and secret management\n- Domain validation and CORS\n- Firestore storage for production\n- HTTPS deployment considerations\n- Per-user service authentication (Notion, Linear, etc.)\n\n## Configuration\n\nmcp-front supports multiple transport types (stdio, SSE, streamable-http, inline). Authentication happens at three levels: user-to-proxy (OAuth), proxy-to-server (`serviceAuths`), and per-user service tokens (`userAuthentication`).\n\nExample configs: [config-oauth.json](config-oauth.json) | [config-token.example.json](config-token.example.json)\n\nSee the [configuration reference](https://stainless-api.github.io/mcp-front/configuration/) for all options.\n\n## Security\n\n- OAuth 2.0 with PKCE required for all flows\n- Google Workspace domain validation\n- Encrypted session cookies (AES-256-GCM)\n- Per-user session isolation for stdio servers\n- Per-service audience claims (RFC 8707) prevent token reuse across services\n\n⚠️ **Security boundary**: mcp-front handles authentication. MCP servers handle authorization and input validation. Only use MCP servers you trust with your data.\n\n## Documentation\n\n- **[Quickstart](https://stainless-api.github.io/mcp-front/quickstart/)** - Get running in 5 minutes with bearer tokens\n- **[Production setup](https://stainless-api.github.io/mcp-front/examples/oauth-google/)** - OAuth with Google Workspace\n- **[Configuration reference](https://stainless-api.github.io/mcp-front/configuration/)** - All config options\n- **[API reference](https://stainless-api.github.io/mcp-front/api-reference/)** - HTTP endpoints\n- **[Architecture](https://stainless-api.github.io/mcp-front/architecture/)** - How it works under the hood\n\n## License\n\nLicensed under the [Elastic License 2.0](LICENSE) with commercial exceptions for Stainless Software Ltd and its affiliates, and the author. Using mcp-front as infrastructure for your own services (including public/commercial) is permitted; offering mcp-front itself as a hosted product is not.\n\nCopyright 2025 Samuel \"dgellow\" El-Borai (sam@elborai.me)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstainless-api%2Fmcp-front","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstainless-api%2Fmcp-front","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstainless-api%2Fmcp-front/lists"}