# Valuable references for the reviewer: - Docs PR: https://github.com/ArcadeAI/docs/pull/583 - Implements Phase 1 of the following planning doc: https://linear.app/arcadedev/project/arcade-mcp-supports-mcp-auth-front-door-auth-7cbaa20cb054/overview https://github.com/user-attachments/assets/79ad43fd-f5e8-4793-a1dd-18b35acefdc3 # PR Description Adds OAuth 2.1 Resource Server authentication to arcade-mcp-server, enabling HTTP MCP servers to validate Bearer tokens on every request. This unlocks tool-level authorization and secrets support for HTTP servers. - Multiple authorization server support - Granular token validation options (verify_exp, verify_iat, verify_iss) - Environment variable configuration - OAuth discovery metadata endpoint (/.well-known/oauth-protected-resource) - Extracts sub claim from token as context.user_id - Lifts transport restrictions for tools requiring auth/secrets on HTTP when protected ```python from arcade_mcp_server import MCPApp from arcade_mcp_server.resource_server import ResourceServerAuth, AuthorizationServerEntry resource_server_auth = ResourceServerAuth( canonical_url="http://127.0.0.1:8000/mcp", authorization_servers=[ AuthorizationServerEntry( authorization_server_url="https://auth.example.com", issuer="https://auth.example.com", jwks_uri="https://auth.example.com/jwks", ) ], ) app = MCPApp(name="my_server", version="1.0.0", auth=resource_server_auth) ``` # Testing Beyond the comprehensive unit tests, I also manually tested end-to-end with WorkOS Authkit (DCR) and KeyCloak (non-DCR). # Future Work - CIMD support - An `ArcadeResourceServer` to make adding front-door auth super easy when using Arcade's Auth Server <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Adds OAuth 2.1 front-door auth (JWKS validation + OAuth discovery) and propagates user identity to tools, enabling auth/secret-requiring tools over HTTP. > > - **Authentication (Front-Door OAuth 2.1)** > - New `resource_server` module with `ResourceServerAuth` (multi-authorization-server, metadata) and `JWKSTokenValidator` (JWKS-based JWT validation) plus granular validation options. > - ASGI `ResourceServerMiddleware` validates Bearer tokens on every HTTP request and injects `resource_owner`. > - OAuth discovery endpoint via FastAPI router at `/.well-known/oauth-protected-resource[/<path>]`. > - **Integration** > - `MCPApp`/`worker` accept `auth`/`resource_server_validator`, mount middleware, expose discovery; logs accepted auth servers. > - HTTP transport (`http_streamable`) carries `SessionMessage` with `resource_owner` from request → session. > - `Context`/`Session`/`Server` plumb `resource_owner`; `Server` selects `user_id` preferring token `sub`. > - **Behavior Changes** > - HTTP transport restriction lifted for tools requiring `authorization`/`secrets` when request is authenticated; otherwise blocked with actionable error. > - **Configuration** > - Env-var based auth config via `MCP_RESOURCE_SERVER_*` in `MCPSettings.ResourceServerSettings`; `.env` auto-load. > - **Telemetry** > - Usage tracking records `resource_server_type` on server start. > - **Examples** > - New `examples/mcp_servers/authorization` sample server (HTTP auth, secrets, Reddit tool) with Docker setup. > - **Tests** > - Extensive unit tests for validators, middleware, env config, multi-AS, transport rules, and app integration. > - **Version** > - Bump `arcade-mcp-server` to `1.12.0`; minor docstring tweak in `__init__.py`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d1116cdcafb0c7cb8f91e66682eb1fbae380da31. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Resolves TOO-152 |
||
|---|---|---|
| .. | ||
| arcade_mcp_server | ||
| Makefile | ||
| pyproject.toml | ||
| README.md | ||
Arcade MCP Server
Arcade MCP (Model Context Protocol) Server enables AI assistants and development tools to interact with your Arcade tools through a standardized protocol. Build, deploy, and integrate MCP servers seamlessly across different AI platforms.
Quick Links
- Quickstart Guide - Get up and running in minutes
- Walkthrough - Learn by example
- API Reference - MCPApp API documentation
Features
- 🚀 FastAPI-like Interface - Simple, intuitive API with
MCPApp - 🔧 Tool Discovery - Automatic discovery of tools in your project
- 🔌 Multiple Transports - Support for stdio and HTTP/SSE
- 🤖 Multi-Client Support - Works with Claude, Cursor, and more
- 📦 Package Integration - Load installed Arcade packages
- 🔐 Built-in Security - Environment-based configuration and secrets
- 🔄 Hot Reload - Development mode with automatic reloading
- 📊 Production Ready - Deploy with Docker, systemd, PM2, or cloud platforms
Getting Started
Installation
pip install arcade-mcp-server
Create Your First Server
from arcade_mcp_server import MCPApp
from typing import Annotated
app = MCPApp(name="my-tools", version="1.0.0")
@app.tool
def greet(name: Annotated[str, "Name to greet"]) -> str:
"""Greet someone by name."""
return f"Hello, {name}!"
if __name__ == "__main__":
app.run()
Run Your Server
# For development
python my_tools.py
# For Claude Desktop
python -m arcade_mcp_server stdio
# For HTTP clients
python -m arcade_mcp_server --host 0.0.0.0 --port 8080
Community
Analytics & Privacy
Arcade MCP Server collects anonymous usage data to help us improve the service and debug issues. We track "MCP server start" events to understand server usage patterns and reliability.
What We Track
When the server starts, we collect the following information:
- Server configuration: transport type (
httporstdio), host, port - Server metadata: tool count, server version
- Runtime environment: Python version, OS type and release
- Timing: device timestamp
- Errors: error messages (if startup fails)
Privacy
- For anonymous users: Events are tracked with an anonymous ID and no user profile is created
- For authenticated users: Events are linked to your account to help us provide better support
- No sensitive data (credentials, tool inputs/outputs, or personal information) is ever collected
Opt Out
To disable usage tracking, set the environment variable ARCADE_USAGE_TRACKING to 0.
License
Arcade MCP Server is open source software licensed under the MIT license.