Add Streamable HTTP transport for remote deployments#3
Open
ThomsenDrake wants to merge 4 commits into
Open
Conversation
…sing, silence dotenv stdout
- Add MCP_AUTH_TOKEN env var for optional bearer token authentication - When set, validates auth field on all JSON-RPC messages before processing - When unset, server accepts all messages (default for local usage) - Silence dotenv stdout output that corrupts MCP stdio protocol - Update README and .env.example with auth documentation
- Add startHttpServer() with Express + StreamableHTTPServerTransport - Auto-detect transport mode via PORT env var or MCP_TRANSPORT=http - Bearer auth on HTTP uses standard Authorization header - Stateful sessions with per-session server instances - Stdio transport preserved unchanged for local usage - Add @types/express dev dependency
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
ThomsenDrake
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Streamable HTTP transport so the server can be deployed remotely (Railway, Fly.io, etc.) and accessed over the network by any MCP client. All changes serve this goal:
startHttpServer()using Express +StreamableHTTPServerTransportwith stateful session management. The server exposes a single/mcpendpoint handling POST (JSON-RPC), GET (SSE streaming), and DELETE (session cleanup).PORTis set orMCP_TRANSPORT=http, the server starts in HTTP mode. Otherwise it uses stdio as before — no breaking changes for existing local users.MCP_AUTH_TOKENis set, all requests require a valid token. On HTTP this uses the standardAuthorizationheader. On stdio it validates anauthfield in the JSON-RPC message via aTransformstream that strips the field before it hits the SDK's strict Zod parser. When unset, auth is disabled (the default for local usage).dotenv.config({ quiet: true })— dotenv v17+ logs to stdout by default, which corrupts the MCP stdio protocol. This is a bug that affects the existing server regardless of transport.Why
The server currently only supports stdio transport, which requires the MCP client to spawn it as a local process. This makes it impossible to deploy remotely or share a single server instance across multiple agents. Streamable HTTP transport is the standard MCP solution for remote servers, and bearer token auth is necessary to secure a network-exposed endpoint.
Client configuration
With a remote deployment, any stdio-based MCP client can connect via
mcp-remote:{ "mcpServers": { "privy": { "command": "npx", "args": [ "mcp-remote", "https://your-deployment.example.com/mcp", "--header", "Authorization:${AUTH_HEADER}" ], "env": { "AUTH_HEADER": "Bearer your_secret_token" } } } }Testing
All scenarios verified locally and on a live Railway deployment:
PORTset, valid bearer tokenPORTset, invalid tokenPORTset, no tokenPORTset, noMCP_AUTH_TOKENPORTunset, validauthfieldPORTunset, invalidauthfield-32600errorPORTunset, noMCP_AUTH_TOKEN