MongoDB MCP Server
Enables AI agents to securely connect to MongoDB databases via MCP, with deployment modes from basic to RBAC-gated with Keycloak authentication.
README
π MongoDB MCP Server
A ready-to-use integration of the MongoDB MCP Server with multiple deployment modes β from a simple local launcher to a fully secured RBAC gateway with Keycloak authentication.
Explore how to connect AI agents and LLM clients (Claude, VS Code Copilot, Cursor, etc.) to your MongoDB databases through the Model Context Protocol.
π Table of Contents
| # | Section | Description |
|---|---|---|
| 1 | Deployment Modes | Compare the three available modes |
| 2 | Quick Start | Get running in 2 minutes (basic mode) |
| 3 | Project Structure | Directory layout overview |
| 4 | Test Client | Built-in MCP diagnostic client |
| 5 | VS Code Copilot | Connect VS Code to the MCP Server |
| 6 | Docker Compose | Run the full stack with containers |
| 7 | Documentation | Links to detailed guides |
| 8 | npm Scripts | All available commands at a glance |
| 9 | References | Official docs and specifications |
π Deployment Modes
This project supports three deployment modes, each adding a layer of security on top of the previous one:
π’ Basic Mode β Direct Connection
The simplest setup. The MCP Server runs locally and accepts connections without authentication. Best for local development and quick testing.
ββββββββββββββ ββββββββββββββββ
β Client βββββββββββ>β MCP Server β
β (Agent) β :8008 β (MongoDB) β
ββββββββββββββ ββββββββββββββββ
When to use: Solo development, local experiments, testing tools.
π See Quick Start below.
π‘ Proxy Mode β OAuth 2.1 Authentication
Adds Keycloak as an OAuth 2.1 Authorization Server and a reverse proxy that validates Bearer tokens before forwarding to the MCP Server. Implements the Delegated Authorization pattern.
ββββββββββββββ Bearer ββββββββββββ ββββββββββββββββ
β Client βββtokenββ>β Proxy βββββββββββ>β MCP Server β
β (Agent) β β (RS) β (no auth) β (MongoDB) β
ββββββββββββββ ββββββ¬ββββββ ββββββββββββββββ
β JWKS
ββββββ΄ββββββ
β Keycloak β
β (AS) β
ββββββββββββ
When to use: Shared environments, multiple users, audit requirements.
π See
iac/auth-proxy/for the proxy implementation.
π΄ Gateway Mode β RBAC (Role-Based Tool Filtering)
The most secure mode. Extends Proxy Mode by inspecting MCP messages and filtering tools based on the user's Keycloak realm role. Different users see and can execute different sets of tools.
ββββββββββββββ Bearer ββββββββββββββββ ββββββββββββββββ
β Client βββtokenββ>β RBAC Gateway βββββββββββ>β MCP Server β
β (Agent) β β :4040 β (no auth) β (MongoDB) β
ββββββββββββββ ββββββββ¬ββββββββ ββββββββββββββββ
β JWKS + roles
ββββββ΄ββββββ
β Keycloak β
β (AS) β
ββββββββββββ
| Role | Mode | Access Level |
|---|---|---|
π mcp-admin |
allow | Full access β all tools (RW) |
π mcp-analyst |
allow | 14 specific tools (RO) |
ποΈ mcp-viewer |
allow | 5 specific tools (RW) |
π€ mcp-guest |
deny | All except atlas category (RO) |
When to use: Production, teams with different access levels, compliance.
π See doc/gateway.md for the full guide: architecture, step-by-step setup, Keycloak curl examples, token inspection, and RBAC configuration.
π Quick Start
Prerequisites
- Node.js v18+
- A MongoDB connection string (Atlas or local)
1. Install dependencies
npm install
2. Configure environment
cp .env.example .env
Edit .env and set your MongoDB connection string:
MDB_MCP_CONNECTION_STRING=mongodb+srv://user:password@cluster.mongodb.net
3. Start the MCP Server
npm run mcp:wrapper:start
========================================
MongoDB MCP Server
========================================
Status : running
URL : http://127.0.0.1:8008
Endpoint : http://127.0.0.1:8008/mcp
========================================
4. Verify with the test client
npm run mcp:client:start
All 7 diagnostic checks should pass (connect, ping, list tools, call tool, list resources, read resource, shutdown).
π Project Structure
mongodb-mcp/
βββ src/
β βββ wrapper/ # π’ MCP Server launcher
β β βββ index.js # Entry point
β β βββ McpServerLauncher.js # Process manager (env, spawn, shutdown)
β βββ gateway/ # π΄ RBAC Gateway (OOP, SOLID/GRASP)
β β βββ index.js # Entry point β config + startup
β β βββ GatewayServer.js # Controller β HTTP server orchestration
β β βββ TokenVerifier.js # JWT/JWKS token verification
β β βββ RoleResolver.js # Role resolution + tool permissions
β β βββ McpInterceptor.js # MCP message filtering/blocking
β β βββ ProxyHandler.js # HTTP reverse proxy to upstream
β βββ client/index.js # π§ͺ MCP test client (direct & auth modes)
βββ cfg/
β βββ roles.json # π§ Role-to-tools mapping config
βββ iac/
β βββ keycloak/
β β βββ realm-export.json # π Keycloak realm (roles, users, scopes)
βββ doc/
β βββ gateway.md # π Full RBAC gateway guide
βββ docker-compose.yml # π³ Keycloak + MCP Server + Gateway
βββ .env # βοΈ Environment configuration
βββ .vscode/mcp.json # π VS Code Copilot MCP config
π§ͺ Test Client
The built-in test client implements the full MCP lifecycle and supports both direct and authenticated modes:
# π’ Direct β no authentication
npm run mcp:client:start
# π΄ Via Gateway β with Keycloak token (uses .env defaults)
npm run mcp:client:gateway
# π΄ Via Gateway β override user from the command line
npm run mcp:client:gateway -- --user mcp-admin --pass admin123
The client runs a diagnostic suite: initialize, ping, list tools, call a tool, list resources, read a resource, and graceful shutdown.
π VS Code Copilot Integration
The .vscode/mcp.json file provides two server entries:
| Server | URL | Auth |
|---|---|---|
mongodb |
http://127.0.0.1:8008/mcp |
None |
mongodb-gateway |
http://127.0.0.1:4040/mcp |
Bearer |
For mongodb-gateway, VS Code will prompt you to paste a Keycloak access token.
Obtain one first (replace user/password as needed):
curl -s -X POST http://localhost:8080/realms/mcp/protocol/openid-connect/token \
-d "grant_type=password" \
-d "client_id=mcp-client" \
-d "username=mcp-admin" \
-d "password=admin123" \
-d "scope=openid mcp:access" | node -e "
let d=''; process.stdin.on('data',c=>d+=c);
process.stdin.on('end',()=>console.log(JSON.parse(d).access_token));
"
Copy the token and paste it when VS Code prompts. See doc/gateway.md for more details and all available users.
π³ Docker Compose
Run the complete stack with a single command:
npm run mcp:docker:start
This starts three services:
| Service | Port | Description |
|---|---|---|
keycloak |
:8080 |
π OAuth 2.1 Authorization Server |
mongodb-mcp |
:8008 |
π MongoDB MCP Server |
mcp-gateway |
:4040 |
π‘οΈ RBAC Gateway (validates JWT + roles) |
Stop everything:
npm run mcp:docker:stop
π npm Scripts
| Script | Mode | Description |
|---|---|---|
npm run mcp:wrapper:start |
π’ | Start the MCP Server locally |
npm run mcp:client:start |
π’ | Run diagnostics β direct (no auth) |
npm run mcp:gateway:start |
π΄ | Start the RBAC Gateway locally |
npm run mcp:client:gateway |
π΄ | Run diagnostics β via gateway (with auth) |
npm run mcp:client:auth |
π‘ | Run diagnostics β via proxy (with auth) |
npm run mcp:docker:start |
π³ | Start all Docker services |
npm run mcp:docker:stop |
π³ | Stop all Docker services |
π Documentation
| Document | Description |
|---|---|
| doc/gateway.md | π΄ RBAC Gateway, full guide with Keycloak examples |
| doc/remote.md | π’ Securing Remote MongoDB MCP Servers: An RBAC Gateway Architecture |
π References
- MongoDB MCP Server: Overview & Use Cases
- MongoDB MCP Server: Get Started (Self-Managed)
- MongoDB MCP Server: Security Best Practices
- MongoDB MCP Server: Tools Reference
- MCP Specification: Transports
- MCP Specification: Lifecycle
- MCP Authorization Tutorial
- LM Studio: Using MCP via API
π License
ISC
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.