njdancer/remote-mcp-server-authless

Building a Remote MCP Server on Cloudflare with OAuth

This example allows you to deploy a remote MCP server with OAuth 2.0 authentication on Cloudflare Workers.

Get started:

This will deploy your MCP server to a URL like: remote-mcp-server-authless.<your-account>.workers.dev/sse

Alternatively, you can use the command line below to get the remote MCP Server created on your local machine:

npm create cloudflare@latest -- my-mcp-server --template=cloudflare/ai/demos/remote-mcp-authless

Authentication

This MCP server uses OAuth 2.0 Authorization Code Flow for secure authentication.

Test Credentials

• Username: admin
• Password: test123

OAuth Endpoints

• Authorization Endpoint: https://your-worker.workers.dev/oauth/authorize
• Token Endpoint: https://your-worker.workers.dev/oauth/token
• Metadata Endpoint: https://your-worker.workers.dev/.well-known/oauth-authorization-server

How OAuth Flow Works

1. Client initiates authorization by redirecting to /oauth/authorize with client_id, redirect_uri, and response_type=code
2. User sees a login page and enters credentials
3. On successful login, user is redirected back with an authorization code
4. Client exchanges the authorization code for an access token at /oauth/token
5. Client uses the access token in the Authorization: Bearer <token> header for all MCP requests

Customizing your MCP Server

To add your own tools to the MCP server, define each tool inside the init() method of src/index.ts using this.server.tool(...).

Connecting to the OAuth-Protected MCP Server

Using OAuth with MCP Clients

To connect to this OAuth-protected MCP server, your client needs to:

1. Implement OAuth 2.0 Authorization Code Flow
2. Store and use the access token in the Authorization: Bearer <token> header

Example: Manual OAuth Flow

You can test the OAuth flow manually:

1. Get an authorization code:

   https://your-worker.workers.dev/oauth/authorize?client_id=test-client&redirect_uri=http://localhost:3000/callback&response_type=code
   

   • Login with admin / test123
   • You'll be redirected with a code parameter

2. Exchange code for access token:

   curl -X POST https://your-worker.workers.dev/oauth/token \
     -d "grant_type=authorization_code" \
     -d "code=YOUR_CODE_HERE" \
     -d "redirect_uri=http://localhost:3000/callback" \
     -d "client_id=test-client"
   

3. Use the access token:

   curl https://your-worker.workers.dev/sse \
     -H "Authorization: Bearer YOUR_ACCESS_TOKEN_HERE"
   

Connect Claude Desktop to your MCP server

Note: Standard MCP clients like mcp-remote don't currently support OAuth out of the box. You'll need to either:

1. Use a custom OAuth-aware MCP client that handles the OAuth flow
2. Pre-authenticate and inject the token into the client configuration
3. Build a proxy that handles OAuth and forwards authenticated requests

For development/testing with Claude Desktop, you may need to temporarily disable auth or use a tool that handles OAuth for you.

Connect to Cloudflare AI Playground

The Cloudflare AI Playground may require OAuth configuration. Check their documentation for OAuth integration:

1. Go to https://playground.ai.cloudflare.com/
2. Configure OAuth settings with your authorization and token endpoints
3. Enter your deployed MCP server URL (remote-mcp-server-authless.<your-account>.workers.dev/sse)

Security Notes

⚠️ Important: This implementation uses:

• Hardcoded credentials for testing (admin / test123)
• In-memory storage for codes and tokens (lost on worker restart)
• A static secret key for JWT signing

For production use, you should:

1. Move credentials to environment variables or Cloudflare Secrets
2. Use Cloudflare KV or Durable Objects for persistent token storage
3. Use a secure, randomly generated secret key from environment variables
4. Implement proper client registration and client secrets
5. Add rate limiting and brute force protection
6. Consider using refresh tokens for long-lived access