MCP Servers

secure-mcp-proxy

A MCP Proxy (Local <-> SSE) with token based authentication.

README

secure-mcp-proxy

GitHub License PyPI - Python Version

A secure MCP (Model Context Protocol) proxy that enables switching between server transports with built-in API token authentication.

Note: This project is forked from sparfenyuk/mcp-proxy and enhanced with additional security features.

secure-mcp-proxy

About

The mcp-proxy is a tool that lets you switch between server transports. There are two supported modes:

stdio to SSE/StreamableHTTP
SSE to stdio

1. stdio to SSE/StreamableHTTP

Run a proxy server from stdio that connects to a remote SSE server.

This mode allows clients like Claude Desktop to communicate to a remote server over SSE even though it is not supported natively.

graph LR
    A["Claude Desktop"] <--> |stdio| B["mcp-proxy"]
    B <--> |SSE| C["External MCP Server"]

    style A fill:#ffe6f9,stroke:#333,color:black,stroke-width:2px
    style B fill:#e6e6ff,stroke:#333,color:black,stroke-width:2px
    style C fill:#e6ffe6,stroke:#333,color:black,stroke-width:2px

2. SSE to stdio

Run a proxy server exposing a SSE server that connects to a local stdio server.

This allows remote connections to the local stdio server. The mcp-proxy opens a port to listen for SSE requests, spawns a local stdio server that handles MCP requests.

graph LR
    A["LLM Client"] <-->|SSE| B["mcp-proxy"]
    B <-->|stdio| C["Local MCP Server"]

    style A fill:#ffe6f9,stroke:#333,color:black,stroke-width:2px
    style B fill:#e6e6ff,stroke:#333,color:black,stroke-width:2px
    style C fill:#e6ffe6,stroke:#333,color:black,stroke-width:2px

Features

Transport switching: stdio ↔ SSE/StreamableHTTP
API token authentication: Secure your MCP servers with Bearer token auth
CORS support: Configure allowed origins for web clients
Multiple servers: Host multiple named MCP servers simultaneously
Docker support: Container-ready with Docker and Docker Compose
Flexible configuration: CLI arguments, environment variables, and JSON config files
Developer friendly: Built-in token generator and status endpoint

Quick Start

# CLI Mode (No Auth)
uv run python -m secure_mcp_proxy --port 3000 uvx mcp-server-fetch # example

# Named Server Mode
export MCP_PROXY_API_TOKEN=your-secret-token
uv run python -m secure_mcp_proxy --named-server-config servers.json --port 3000 --host 0.0.0.0

Installation

From Source

# Clone the repository
git clone https://github.com/your-username/secure-mcp-proxy
cd secure-mcp-proxy

# Install dependencies with uv (Python package manager)
uv sync

# Now you can run the proxy using: uv run python -m secure_mcp_proxy

Running the Proxy

CLI Mode

# Single server
uv run python -m secure_mcp_proxy --port 3000 uvx mcp-server-fetch

# Multiple servers
uv run python -m secure_mcp_proxy --port 3000 \
  --named-server fetch 'uvx mcp-server-fetch' \
  --named-server github 'npx -y @modelcontextprotocol/server-github'

# Custom host and port
uv run python -m secure_mcp_proxy --host 0.0.0.0 --port 8080 uvx mcp-server-fetch

# With environment variables and args
uv run python -m secure_mcp_proxy --port 3000 -e API_KEY value -- uvx mcp-server-fetch --timeout 30

Named Server Mode

export MCP_PROXY_API_TOKEN=token
uv run python -m secure_mcp_proxy --named-server-config servers.json --port 3000 --host 0.0.0.0

Client Mode (Connect to Remote Server)

# Connect to remote SSE server
uv run python -m secure_mcp_proxy http://remote-server.com/sse

# With authentication
uv run python -m secure_mcp_proxy --headers Authorization 'Bearer remote-token' http://remote-server.com/sse

# Using StreamableHTTP transport
uv run python -m secure_mcp_proxy --transport streamablehttp http://remote-server.com/mcp

Configuration

Environment Variables

MCP_PROXY_API_TOKEN: API token for authentication (optional)
API_ACCESS_TOKEN: Token for connecting to remote servers (client mode)

Named Server Configuration File

Create a servers.json file:

{
  "mcpServers": {
    "filesystem": {
      "enabled": true,
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/Users/username/Downloads"],
      "auth": true,
      "env": {
        "CUSTOM_VAR": "value"
      }
    },
    "fetch": {
      "enabled": true,
      "command": "uvx",
      "args": ["mcp-server-fetch"],
      "auth": false
    },
    "time": {
      "enabled": true,
      "command": "uvx",
      "args": ["mcp-server-time"]
      // No "auth" field defaults to false
    },
    "github": {
      "enabled": false,
      "command": "npx", 
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "auth": true,
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "your-github-token"
      }
    }
  }
}

Configuration fields:

enabled: Whether to start this server (default: true)
command: Command to execute
args: Command arguments as array
auth: Whether authentication is required (default: false)
env: Environment variables for this server

Authentication

Authentication is controlled by the MCP_PROXY_API_TOKEN environment variable. When set, you can configure which servers require authentication on a per-server basis.

Authentication Modes

No authentication: When MCP_PROXY_API_TOKEN is not set, all endpoints are public
Selective authentication: When MCP_PROXY_API_TOKEN is set, authentication is controlled per-server:

CLI Mode: Always public (no authentication required)
Named Server Mode: Follow the auth field setting (true = auth required, false or omitted = public)

Setting Up Authentication

# Option 1: Environment variable
export MCP_PROXY_API_TOKEN=your-secret-token

# Option 2: .env file
echo 'MCP_PROXY_API_TOKEN="your-secret-token"' > .env

# Option 3: Inline
export MCP_PROXY_API_TOKEN=your-secret-token
uv run python -m secure_mcp_proxy --named-server-config servers.json --port 3000

Per-Server Authentication

You can configure which servers require authentication using the auth field in your configuration file:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"],
      "auth": true    // Requires authentication
    },
    "fetch": {
      "command": "uvx", 
      "args": ["mcp-server-fetch"],
      "auth": false   // No authentication required
    },
    "time": {
      "command": "uvx",
      "args": ["mcp-server-time"]
      // No "auth" field = defaults to false (no authentication)
    }
  }
}

Generate Secure Tokens

# Generate a production-ready token
uv run python -m secure_mcp_proxy.token_generator --production

# Generate multiple test tokens
uv run python -m secure_mcp_proxy.token_generator

Docker Support

Basic Docker Usage

# Build custom image with uv
cat > Dockerfile << 'EOF'
FROM ghcr.io/sparfenyuk/mcp-proxy:latest
RUN python3 -m ensurepip && pip install --no-cache-dir uv
ENV PATH="/usr/local/bin:$PATH" UV_PYTHON_PREFERENCE=only-system
ENTRYPOINT ["mcp-proxy"]
EOF

docker build -t secure-mcp-proxy .
export MCP_PROXY_API_TOKEN=token
docker run -e MCP_PROXY_API_TOKEN=$MCP_PROXY_API_TOKEN -p 3000:3000 secure-mcp-proxy \
  --pass-environment --port=3000 --host=0.0.0.0 uvx mcp-server-fetch

Docker Compose

# docker-compose.yml
services:
  secure-mcp-proxy:
    build: .
    ports:
      - "3000:3000"
    environment:
      - MCP_PROXY_API_TOKEN=your-secret-token
    volumes:
      - ./servers.json:/app/servers.json
    command: >
      --pass-environment 
      --port=3000 
      --host=0.0.0.0 
      --named-server-config=/app/servers.json
    restart: unless-stopped

Command Line Reference

Common Options

Option	Description	Example
`--port`	Server port	`--port 3000`
`--host`	Server host	`--host 0.0.0.0`
`--named-server-config`	Config file path	`--named-server-config servers.json`
`--named-server`	Define named server	`--named-server fetch 'uvx mcp-server-fetch'`
`--allow-origin`	CORS origins	`--allow-origin "*"`
`--debug`	Enable debug logging	`--debug`

Troubleshooting

Common Issues

ENOENT error: Use full path to binary in Claude Desktop config
Port already in use: Change port with --port option
401/403 errors: Check your MCP_PROXY_API_TOKEN environment variable
Module not found: Ensure you're in the correct directory and dependencies are installed

Debug Mode

# Enable detailed logging
uv run python -m secure_mcp_proxy --debug --port 3000 uvx mcp-server-fetch

Recommended Servers

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official

Featured

TypeScript

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official

Featured

Local

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official

Featured

TypeScript

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official

Featured

Python

E2B

Using MCP to run code via e2b.

Official

Featured

Neon Database

MCP server for interacting with Neon Management API and databases

Official

Featured

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official

Featured

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official

Featured