starlink-enterprise-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@starlink-enterprise-mcplist my Starlink terminals and their status"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Starlink Enterprise MCP Server
๐ฐ๏ธ Hosted, multi-account MCP for the Starlink Enterprise API Any AI agent โ Claude, ChatGPT, anything that speaks MCP โ connects with a real Starlink V2 Service Account, drives the full Enterprise API, and stays connected indefinitely. The Client Secret never touches the model.
โก Features
๐ Hosted OAuth proxy with API-key login โ The server is the OAuth 2.1 authorization server. But Starlink has no interactive OAuth and no MFA, so the browser login page doesn't ask for a username and password โ it asks for a Service Account Client ID + Client Secret. The server validates them with a
client_credentialsgrant; credentials never enter the model's context.๐ Transparent token re-minting โ Starlink bearer tokens are short-lived (~15 min) and have no refresh token. The server stores the service-account credentials alongside the issued MCP token and silently re-mints a fresh bearer before expiry, and again on any
401. AI sessions stay alive across long conversations.๐ช Stateless login state โ OAuth pending state rides in HMAC-signed
HttpOnlycookies, so logins survive container restarts and Cloud Run instance switches.๐๏ธ Firestore persistence โ Issued tokens and DCR client registrations survive deploys and scaling events when
MCP_PERSISTENCE=firestore.๐ค Claude and ChatGPT support โ Public-client dynamic registration (
token_endpoint_auth_method=none, PKCE only) means ChatGPT connects out of the box alongside confidential clients like Claude.๐งฌ 55 auto-generated tools from the spec โ The Starlink Enterprise v2 OpenAPI spec, regenerated on every build. Drop in a new spec and rebuild to pick up new endpoints.
๐ฏ No curated layer needed โ At 55 operations the full tool surface fits comfortably in a model's working memory, so every tool is exposed directly with read/write/destructive annotations.
๐ช Operator-tunable โ Disable globs (
MCP_DISABLED_TOOLS=delete_*,*reboot*), a semantic destructive toggle (MCP_DISABLE_DESTRUCTIVE=true), branded login page (MCP_LOGIN_HEADER,MCP_ICON_URL). No code change for per-deployment policy.๐งช A real test suite โ including a draft-2020-12 JSON Schema guard that compiles every tool's input schema on every run.
Related MCP server: m365-mcp-server
๐ How auth differs from a username/password MCP
Username/password OAuth proxy | This server (Starlink) | |
Login page collects | username + password | Service Account Client ID + Client Secret |
Upstream grant |
|
|
MFA | yes | none (service accounts skip MFA) |
Refresh | upstream refresh token | re-run |
Token TTL | hours | ~15 min, re-minted on expiry / 401 |
The DCR + browser-redirect OAuth shell is identical โ what changed is the login form and the upstream grant.
๐๏ธ Architecture
AI client (Claude/ChatGPT)
โ OAuth 2.1 DCR + browser login (PKCE)
โผ
[ Starlink MCP HTTP server (this repo) ] โ OAuth proxy, login page (Client ID + Secret), cookies, Firestore
โ per-account Starlink bearer (client_credentials)
โผ
[ Starlink Enterprise API https://web-api.starlink.com ]Each issued MCP bearer maps to a stored upstream Starlink token plus the service-account credentials used to mint it, so the server can re-mint silently.
๐ป Running locally (stdio)
npm install
npm run build
export STARLINK_CLIENT_ID=<your-service-account-client-id>
export STARLINK_CLIENT_SECRET=<your-service-account-secret>
npm start # MCP_TRANSPORT defaults to stdioCreate a V2 service account at Account Settings โ API V2 Service Accounts (requires the Admin or Service Account Management role).
Add this entry to your local MCP client config (Claude Desktop, etc.):
{
"mcpServers": {
"starlink": {
"command": "node",
"args": ["/path/to/starlink-enterprise-mcp/build/index.js"],
"env": {
"STARLINK_CLIENT_ID": "...",
"STARLINK_CLIENT_SECRET": "..."
}
}
}
}You can also set STARLINK_ACCESS_TOKEN directly to skip the grant if you
already hold a bearer.
๐ Running as a hosted server (HTTP)
export MCP_TRANSPORT=http
export MCP_PORT=3000
export MCP_BASE_URL=https://mcp.example.com
export MCP_SESSION_SECRET=<32+ random hex> # signs login-state cookies
npm startConnect from Claude / ChatGPT by giving it the URL https://mcp.example.com/mcp.
The client DCR-registers, redirects the user to /authorize, the user pastes
their Service Account Client ID + Secret, and the bearer flows back to the AI
automatically. No upstream operator credentials are needed in HTTP mode โ
each user brings their own service account.
โ๏ธ Cloud Run deployment
Ships with a Cloud Run-friendly Dockerfile and cloudbuild.yaml.
Component | Purpose |
Cloud Run service | Runs the HTTP server with session affinity and |
Firestore (native mode) | Persistent token store and DCR client registry |
Cloud Run SA โ | Firestore access |
gcloud builds submit --config cloudbuild.yaml --project=<your-project>Required env vars on Cloud Run:
Var | Notes |
| enable the HTTP transport |
| public URL, e.g. |
| 32+ chars; signs cookies & must be stable across instances |
| enable Firestore-backed tokens and clients |
| Firestore project ID (auto-set on Cloud Run) |
Optional: STARLINK_API_URL, STARLINK_TOKEN_URL (defaults are correct for
production), MCP_LOGIN_HEADER, MCP_ICON_URL, MCP_LOGIN_LOGO_URL,
MCP_DISABLED_TOOLS, MCP_DISABLED_ACTIONS, MCP_DISABLE_DESTRUCTIVE,
MCP_CORS_ORIGIN.
Other targets: fly.toml (Fly.io), render.yaml (Render), railway.toml
(Railway), docker-compose.yml, and k8s/ manifests (apply with
kubectl apply -k k8s/).
Security note on persistence. In HTTP mode the issued-token records hold each user's Starlink service-account Client ID + Secret so the server can re-mint bearers. Protect the token store accordingly โ restrict the Firestore collection / file volume, and rotate
MCP_SESSION_SECRETand service-account secrets per Starlink's guidance if exposure is suspected.
๐ OAuth flow (detailed)
AI client hits
GET /.well-known/oauth-protected-resource/mcpand/.well-known/oauth-authorization-serverfor discovery.AI client POSTs
/register(RFC 7591 DCR). Public clients passtoken_endpoint_auth_method=noneand get back aclient_idonly; confidential clients also get aclient_secret. Registrations persist in Firestore.AI redirects the user's browser to
/authorize?...with PKCE parameters. The server stores the pending request in a signed cookie (mcp_pending_auth, 15 min TTL) and renders the login page.User submits their Service Account Client ID + Client Secret โ server runs
POST {STARLINK_TOKEN_URL}withgrant_type=client_credentials. On success it stores the Starlink token + credentials and issues an authorization code.The server redirects back to the AI client; cookies are cleared.
AI exchanges the code at
/tokenfor the MCP-issued bearer + refresh token.On every
/mcprequest, the server verifies the bearer and transparently re-mints the upstream Starlink token if it's near expiry. On a401from the API, the client re-mints and retries once.
๐งฐ Tools
55 tools generated from spec/starlink-enterprise-v2.json, grouped by tag:
Group | Examples |
Account |
|
Service Lines |
|
User Terminals |
|
Routers |
|
Addresses |
|
Contacts |
|
Data Pools |
|
Flights |
|
Managed |
|
Each tool is annotated readOnlyHint / destructiveHint. Reboots and deletes
are flagged destructive โ hide them all with MCP_DISABLE_DESTRUCTIVE=true, or
selectively with e.g. MCP_DISABLED_TOOLS=delete_*,*reboot*.
Tool names map 1:1 to operations ({method}_{path}, with the /public/v2
prefix stripped). Two deep service-line paths are abbreviated to fit the MCP
64-character name limit.
๐ Regenerating tools
The spec lives at spec/starlink-enterprise-v2.json (sourced from
https://web-api.starlink.com/enterprise/swagger/v2/swagger.json). To refresh:
# drop a new spec into spec/starlink-enterprise-v2.json, then:
npm run generate # rewrites src/generated/
npm run build
npm testnpm run build runs generate automatically via the prebuild hook.
๐งช Tests
npm testThe Firestore-backed tests are emulator-gated and skip cleanly without one.
๐ What this server is
Two MCP transports.
stdiofor local CLI integrations andhttp(Streamable HTTP) for hosted deployments. Production useshttp.Auto-generated tools from the Starlink Enterprise v2 OpenAPI spec, regenerated on every build.
Hosted OAuth login where the login page collects Starlink Service Account credentials (Client ID + Secret), not a username/password. MFA does not apply to service accounts.
Transparent token re-minting via
client_credentials(no refresh token).Firestore persistence for tokens and DCR clients when
MCP_PERSISTENCE=firestore.
License
MIT
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/WiFiWithoutWalls/starlink-enterprise-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server