mcpx by rossja - MCP Server

MCP Test Server

This is a tool to assist with offensive security testing of MCP clients. It serves MCP tools over Streamable HTTP for remote hosting, compliant with the 2025-03-26 MCP specification.

Default Tools

The server provides several tools out-of-the-box:

A basic "echo" that repeats whatever is passed as a "saythis" parameter
A tool that tells the requester what their source ip address appears to be
A tool to tell the current weather when given a postal code as a parameter

Getting Started

Prerequisites

Python 3.13+
uv (recommended) or pip

Local Development

Clone the repository
Install dependencies:
```
uv sync
```

Run the server:

uv run uvicorn app.main:app --host 0.0.0.0 --port 8080

Docker Deployment

The project includes a production-ready Dockerfile.

docker build -t mcp-test-server .
docker run -p 8080:8080 mcp-test-server

Configuration

The server is configured via environment variables:

Variable	Description	Default
`PORT`	Port to listen on	8080
`AUTH_MODE`	Authentication mode: `none`, `token`, `oauth2`	`none`
`AUTH_TOKEN`	Static token for `token` mode
`OAUTH_CLIENT_ID`	Client ID for `oauth2` mode
`OAUTH_CLIENT_SECRET`	Client Secret for `oauth2` mode (used as JWT secret)
`OPENWEATHER_API_KEY`	API Key for OpenWeatherMap (for weather tool)

API & Transport

This server implements the Streamable HTTP transport.

Endpoint: POST /mcp
Protocol: JSON-RPC 2.0
Supported Methods: initialize, tools/list, tools/call

Example Request

curl -X POST http://localhost:8080/mcp \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{
    "jsonrpc": "2.0", 
    "method": "tools/list", 
    "id": 1
  }'

Authentication

By default the server runs in "noauth" mode.

none: No authentication is required.
token: Validates Authorization: Bearer <AUTH_TOKEN>
oauth2: Validates JWT signed with OAUTH_CLIENT_SECRET. Endpoint /token issues tokens given valid client_id and client_secret.