Stackbilt MCP Gateway
OAuth-authenticated Model Context Protocol (MCP) gateway for Stackbilt platform services. Built as a Cloudflare Worker using @cloudflare/workers-oauth-provider.
What It Does
A single MCP endpoint (mcp.stackbilt.dev/mcp) that routes tool calls to multiple backend product workers:
Backend | Tools | Description |
Stackbilder |
| Architecture flow orchestration |
img-forge |
| AI image generation |
Key Features
OAuth 2.1 with PKCE — GitHub SSO, Google SSO, and email/password authentication
Backend adapter pattern — tool catalogs aggregated from multiple service bindings, namespaced to avoid collisions
Security Constitution compliance — every tool declares a risk level (
READ_ONLY,LOCAL_MUTATION,EXTERNAL_MUTATION); structured audit logging with secret redaction; HMAC-signed identity tokensComing-soon gate —
PUBLIC_SIGNUPS_ENABLEDflag to control public accessMCP JSON-RPC over HTTP — supports both streaming (SSE) and request/response transport
Quick Start
Prerequisites
Node.js 18+
Wrangler CLI (
npm i -g wrangler)Cloudflare account with the required service bindings configured
Install & Run
npm install
npm run devRun Tests
npm testDeploy
npm run deployDeploys to the mcp.stackbilt.dev custom domain via Cloudflare Workers.
Environment Variables & Secrets
Name | Type | Description |
| Secret | HMAC-SHA256 key for signing identity tokens |
| Variable | Base URL for OAuth redirects (e.g. |
| Service Binding | RPC to |
| Service Binding | Route to |
| Service Binding | Route to |
| KV Namespace | Stores social OAuth state (5-min TTL entries) |
| Queue | BizOps audit event pipeline ( |
Set secrets with:
wrangler secret put SERVICE_BINDING_SECRETProject Structure
src/
index.ts # Entry point — OAuthProvider setup, CORS, health check bypass
gateway.ts # MCP JSON-RPC transport, session management, tool dispatch
oauth-handler.ts # OAuth 2.1 flows: login, signup, social SSO, consent
tool-registry.ts # Tool catalog aggregation, namespacing, schema validation
audit.ts # Structured audit logging, secret redaction, trace IDs
auth.ts # Bearer token extraction & validation
route-table.ts # Static routing table, tool-to-backend mapping, risk levels
types.ts # Type definitions, RiskLevel enum, interfaces
test/
audit.test.ts
auth.test.ts
gateway.test.ts
oauth-handler.test.ts
route-table.test.ts
tool-registry.test.ts
docs/
user-guide.md # End-user guide: account creation, client setup, tool usage
api-reference.md # MCP tool surface, authentication flow, tool routing
architecture.md # System design, security model, request flowTest Suite
122 tests across 6 test files covering:
OAuth handler — identity token signing/verification, login, signup, social OAuth flows, consent, HTML escaping
Gateway — session lifecycle,
initialize,tools/list,tools/call, SSE streaming, error handlingAudit — secret redaction patterns (API keys, bearer tokens, hex hashes, password fields), trace IDs, queue emission
Auth — bearer token extraction, API key vs JWT validation, error mapping
Tool registry — catalog building, name mapping, schema validation, risk level enforcement
Route table — route resolution, risk level lookup
npm test # single run
npm run test:watch # watch modeDocumentation
User Guide — account creation, client setup, tool usage
API Reference — MCP tools, authentication, tool routing
Architecture — system design, security model, data flow
License
Proprietary — Stackbilt, Inc.
This server cannot be installed
Resources
Looking for Admin?
Admins can modify the Dockerfile, update the server description, and track usage metrics. If you are the server author, to access the admin panel.