Implements OAuth authentication by delegating authorization to Auth0, allowing secure user authentication and authorization for MCP clients without requiring manual client registration.
Provides Docker support for running and testing the MCP server with the Model Context Protocol inspector tool.
Supports environment variable configuration through .env files for easy server setup and configuration.
Mentioned as a potential third-party authorization server that the OAuth Proxy can delegate to, enabling user authentication through GitHub credentials.
Mentioned as a potential third-party authorization server that the OAuth Proxy can delegate to, enabling user authentication through Google credentials.
Leverages npm for package management and running scripts for development and testing.
Built with TypeScript, providing type safety and modern JavaScript features for the MCP server implementation.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP Server Boilerplatelist my S3 buckets and show the latest objects"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Server Playground
A playground for Model Context Protocol (MCP) server built with TypeScript and Streamable HTTP transport with an OAuth Proxy for 3rd party authorization servers like Auth0.
Features
MCP 2025-06-18 Compliant: Full compliance with the latest MCP specification including SSE resumability, tool annotations, and structured content.
MCP Server implementation: HTTP-Based Streamable transport using
@modelcontextprotocol/sdkwith HTTP transport, session management, and tool execution.SSE Resumability: Clients can reconnect with
Last-Event-IDheader to resume receiving events after connection breaks, powered by EventStore.OAuth authentication/3rd party authorization: Implements an OAuth server for MCP clients with RFC 8707 Resource Indicators and RFC 9728 authorization discovery, delegating to Auth0.
Storage: Pluggable storage abstraction (Memory/Valkey) with EventStore for SSE event persistence and replay.
Session Management: Support stateful sessions by using replay of initial request for distributed deployments.
Security: Strict Origin validation to prevent DNS rebinding attacks, WWW-Authenticate headers for authorization discovery.
Tools:
aws-ecs: Investigate the ECS service, task and cloudwatch logs using AWS ECS, Cloudwatch Logs and Bedrockaws-s3: Get the list of S3 buckets and objectssystem-time: Get the current system time in various formats with timezone supportecho: Echo a message back with transformations, repetitionstreaming: Simulate real-time streaming data with live updatesproject: Find keywords in the current project directory
Resources:
echo://documentation: Documentation for the echo tool (static resource)echo://result/{resultId}: Access echo operation results (resource template)
Prompts:
echo
Related MCP server: Auth0 OAuth MCP Server
Documentation
Architecture Overview - System design, data flows, and diagrams
Environment Variables - Configuration options
Tool Documentation (in each tool directory):
Resource Documentation: src/resources/README.md - MCP resources overview
Why this project exists?
The Model Context Protocol spec requires Dynamic Application Registration because it provides a standardized way for MCP clients to automatically register with new servers and obtain OAuth client IDs without user interaction. The main reason for this mechanism is because MCP clients can't know all possible services in advance and manual registration would create significant effort for users and it is not scalable. If do not support Dynamic Application Registration, then MCP clients need to provide OAuth client ID and secret to the server, which is not secure and not scalable.
However, enabling Dynamic Application Registration (if supported) becomes a security risk because the endpoint is a public endpoint that anyone can create OAuth clients. It can easily be abused, such as by flooding with unwanted client registrations. Hence, Auth0 has disabled Dynamic Application Registration
As a result, this project provides a way to enable Dynamic Application Registration for MCP server by using OAuth Proxy, but delegating authorization to 3rd party authorization server like Auth0, Github, Google, etc.
Endpoints
Endpoint | Description |
GET /ping | Ping the server |
POST /mcp | MCP protocol request with authentication |
DELETE /mcp | Session termination |
GET /.well-known/oauth-authorization-server | OAuth authorization server metadata |
GET /.well-known/oauth-protected-resource | OAuth protected resources metadata |
POST /oauth/register | Register a new MCP client |
GET /oauth/authorize | Handle authorization request |
POST /oauth/token | Handle token request |
POST /oauth/revoke | Handle token revocation |
GET /oauth/stats | Get OAuth service statistics |
GET /oauth/auth0-callback | Handle Auth0 callback |
Getting Started
Installation
Clone the repository:
git clone <your-repo> cd mcp-server-playgroundInstall Bun (if not already installed):
curl -fsSL https://bun.sh/install | bashInstall dependencies:
bun installSet up environment variables:
cp .env.example .envSet up the MCP server for local development
bun run dev:setup
Helm Chart
Set up the MCP server for Cursor
Create MCP configuration file for local build
Create a
.cursor/mcp.jsonfile in your project directory (for project-specific setup) or~/.cursor/mcp.jsonin your home directory (for global setup):{ "mcpServers": { "mcp-server-playground-cursor": { "type": "http", "url": "http://localhost:3000/mcp" } } }
Use MCP Inspector to test the server
Copy
mcp-config.example.jsontomcp-config.jsonEdit
mcp-config.jsonto point to the correct MCP serverRun the inspector
docker compose up -d # Then run the inspector bunx @modelcontextprotocol/inspector -y --config ./mcp-config.json --server mcp-server-playground-inspectoror
docker compose up -d bun run test:inspector
Setup Auth0 for authorization
Create a new application in Auth0
Go to Auth0 Dashboard
Click on "Applications"
Click on "Create Application"
Name: MCP Server Playground
Application Type: Regular Web Application
Click on "Create"
Set up the application
Click on "Settings"
Set the following settings:
Allowed Callback URLs:
http://localhost:3000/oauth/auth0-callbackAllowed Web Origins:
http://localhost:3000
Create a new API
Click on "APIs"
Click on "Create API"
Name: MCP Server Playground
Identifier:
urn:mcp-server-playgroundJSON Web Token (JWT) Profile: Auth0
JSON Web Token (JWT) Signature Algorithm: RS256
Click on "Create"
How to make stateful session with multiple MCP Server instances?
When the MCP server is deployed as a cluster, it is not possible to make it stateful with multiple MCP Server instances because the transport is not shared between instances by design.
To make it truly stateful, I used Valkey to store the session id with the initial request.
When the request comes in to alternative MCP server instance, it will check if the session id is in the Valkey. If it is, it will replay the initial request and connect the transport to the server.
Inspired from https://github.com/modelcontextprotocol/modelcontextprotocol/discussions/102
See Architecture - Stateful Session Management for the detailed sequence diagram.
TODO
Streaming is not working as expected. It returns the final result instead of streaming the data.
Screenshots
Metadata Discovery | Client Registration | Preparing Authorization |
Authorization with 3rd party server | Request Authorization and acquire authorization code | Token Request and Authentication Complete |