arcade-mcp/libs/arcade-mcp-server
Eric Gustin 98fd13c4ed
Front-Door Auth (#696)
# Valuable references for the reviewer:
- Docs PR: https://github.com/ArcadeAI/docs/pull/583
- Implements Phase 1 of the following planning doc:
https://linear.app/arcadedev/project/arcade-mcp-supports-mcp-auth-front-door-auth-7cbaa20cb054/overview


https://github.com/user-attachments/assets/79ad43fd-f5e8-4793-a1dd-18b35acefdc3

# PR Description
Adds OAuth 2.1 Resource Server authentication to arcade-mcp-server,
enabling HTTP MCP servers to validate Bearer tokens on every request.
This unlocks tool-level authorization and secrets support for HTTP
servers.

- Multiple authorization server support
- Granular token validation options (verify_exp, verify_iat, verify_iss)
- Environment variable configuration
- OAuth discovery metadata endpoint
(/.well-known/oauth-protected-resource)
- Extracts sub claim from token as context.user_id
- Lifts transport restrictions for tools requiring auth/secrets on HTTP
when protected

```python
from arcade_mcp_server import MCPApp
from arcade_mcp_server.resource_server import ResourceServerAuth, AuthorizationServerEntry

resource_server_auth = ResourceServerAuth(
    canonical_url="http://127.0.0.1:8000/mcp",
    authorization_servers=[
        AuthorizationServerEntry(
            authorization_server_url="https://auth.example.com",
            issuer="https://auth.example.com",
            jwks_uri="https://auth.example.com/jwks",
        )
    ],
)

app = MCPApp(name="my_server", version="1.0.0", auth=resource_server_auth)
```

# Testing
Beyond the comprehensive unit tests, I also manually tested end-to-end
with WorkOS Authkit (DCR) and KeyCloak (non-DCR).

# Future Work
- CIMD support
- An `ArcadeResourceServer` to make adding front-door auth super easy
when using Arcade's Auth Server



<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Adds OAuth 2.1 front-door auth (JWKS validation + OAuth discovery) and
propagates user identity to tools, enabling auth/secret-requiring tools
over HTTP.
> 
> - **Authentication (Front-Door OAuth 2.1)**
> - New `resource_server` module with `ResourceServerAuth`
(multi-authorization-server, metadata) and `JWKSTokenValidator`
(JWKS-based JWT validation) plus granular validation options.
> - ASGI `ResourceServerMiddleware` validates Bearer tokens on every
HTTP request and injects `resource_owner`.
> - OAuth discovery endpoint via FastAPI router at
`/.well-known/oauth-protected-resource[/<path>]`.
> - **Integration**
> - `MCPApp`/`worker` accept `auth`/`resource_server_validator`, mount
middleware, expose discovery; logs accepted auth servers.
> - HTTP transport (`http_streamable`) carries `SessionMessage` with
`resource_owner` from request → session.
> - `Context`/`Session`/`Server` plumb `resource_owner`; `Server`
selects `user_id` preferring token `sub`.
> - **Behavior Changes**
> - HTTP transport restriction lifted for tools requiring
`authorization`/`secrets` when request is authenticated; otherwise
blocked with actionable error.
> - **Configuration**
> - Env-var based auth config via `MCP_RESOURCE_SERVER_*` in
`MCPSettings.ResourceServerSettings`; `.env` auto-load.
> - **Telemetry**
>   - Usage tracking records `resource_server_type` on server start.
> - **Examples**
> - New `examples/mcp_servers/authorization` sample server (HTTP auth,
secrets, Reddit tool) with Docker setup.
> - **Tests**
> - Extensive unit tests for validators, middleware, env config,
multi-AS, transport rules, and app integration.
> - **Version**
> - Bump `arcade-mcp-server` to `1.12.0`; minor docstring tweak in
`__init__.py`.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d1116cdcafb0c7cb8f91e66682eb1fbae380da31. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->





Resolves TOO-152
2025-12-11 12:51:20 -08:00
..
arcade_mcp_server Front-Door Auth (#696) 2025-12-11 12:51:20 -08:00
Makefile remove mkdocs for arcade-mcp (#617) 2025-10-13 10:47:41 -07:00
pyproject.toml Front-Door Auth (#696) 2025-12-11 12:51:20 -08:00
README.md Server start events (#635) 2025-10-22 16:14:52 -07:00

Arcade MCP Server

Arcade Logo

Arcade MCP (Model Context Protocol) Server enables AI assistants and development tools to interact with your Arcade tools through a standardized protocol. Build, deploy, and integrate MCP servers seamlessly across different AI platforms.

Features

  • 🚀 FastAPI-like Interface - Simple, intuitive API with MCPApp
  • 🔧 Tool Discovery - Automatic discovery of tools in your project
  • 🔌 Multiple Transports - Support for stdio and HTTP/SSE
  • 🤖 Multi-Client Support - Works with Claude, Cursor, and more
  • 📦 Package Integration - Load installed Arcade packages
  • 🔐 Built-in Security - Environment-based configuration and secrets
  • 🔄 Hot Reload - Development mode with automatic reloading
  • 📊 Production Ready - Deploy with Docker, systemd, PM2, or cloud platforms

Getting Started

Installation

pip install arcade-mcp-server

Create Your First Server

from arcade_mcp_server import MCPApp
from typing import Annotated

app = MCPApp(name="my-tools", version="1.0.0")

@app.tool
def greet(name: Annotated[str, "Name to greet"]) -> str:
    """Greet someone by name."""
    return f"Hello, {name}!"

if __name__ == "__main__":
    app.run()

Run Your Server

# For development
python my_tools.py

# For Claude Desktop
python -m arcade_mcp_server stdio

# For HTTP clients
python -m arcade_mcp_server --host 0.0.0.0 --port 8080

Community

Analytics & Privacy

Arcade MCP Server collects anonymous usage data to help us improve the service and debug issues. We track "MCP server start" events to understand server usage patterns and reliability.

What We Track

When the server starts, we collect the following information:

  • Server configuration: transport type (http or stdio), host, port
  • Server metadata: tool count, server version
  • Runtime environment: Python version, OS type and release
  • Timing: device timestamp
  • Errors: error messages (if startup fails)

Privacy

  • For anonymous users: Events are tracked with an anonymous ID and no user profile is created
  • For authenticated users: Events are linked to your account to help us provide better support
  • No sensitive data (credentials, tool inputs/outputs, or personal information) is ever collected

Opt Out

To disable usage tracking, set the environment variable ARCADE_USAGE_TRACKING to 0.

License

Arcade MCP Server is open source software licensed under the MIT license.