MCP Connector Test
Authenticates users against Firebase, verifies ID tokens, and reads user profile and plan from Firestore.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP Connector Testwhoami"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Connector — OAuth 2.1 auth prototype (Firebase-backed)
A small, self-contained remote MCP server that demonstrates the full authentication handshake a
Claude Connector goes through — OAuth 2.1 discovery, dynamic
client registration, PKCE, an interactive sign-in page, and a token-protected tool call. Users are
authenticated against a Firebase project, and a single whoami tool returns their real identity
(profile + plan) read from Firestore.
It was built as a prototype for a Smodin Claude Connector, but it works with any Firebase project — plug in your own and run it.
⚠️ Prototype, not production. This server's own access/refresh tokens are HS256 JWTs signed with a shared secret, and all OAuth state (registered clients, auth codes) is kept in memory and resets on restart. The user identity is real (verified Firebase ID token + Firestore lookup), but the token layer is intentionally simple. Don't deploy this as-is.
How it works
Claude / Inspector This server (:8000) Firebase
│ POST /mcp (no token) ──▶ 401 + WWW-Authenticate
│ reads /.well-known/* ──▶ OAuth discovery + PKCE metadata
│ POST /register ──▶ dynamic client registration
│ opens /authorize ─────▶ 302 → /login (our sign-in page)
│ │ Firebase JS SDK sign-in ──▶ ID token
│ │ POST /login/complete (ID token)
│ │ verify token + read Firestore profile/plan
│ POST /token (+PKCE) ──▶ access + refresh token
│ POST /mcp (Bearer) ───▶ whoami → real identityThe MCP SDK's mcpAuthRouter and requireBearerAuth provide the OAuth HTTP plumbing. This repo
implements the authorization-server logic (OAuthServerProvider), the Firebase sign-in page, and the
Firestore identity lookup.
Related MCP server: Cloudflare Google OAuth MCP Server
Project structure
File | Purpose |
| Express app: OAuth router, sign-in routes, token-protected |
| Environment config; derives all OAuth URLs from |
| Sign/verify the server's JWT access + refresh tokens. |
|
|
| In-memory stores: clients, pending authorizations, auth codes, refresh tokens. |
| Firebase sign-in screen ( |
|
|
| Firestore profile/plan lookup + paid-status logic. |
| MCP server + the |
| Seed a Firestore profile for a test user (optional). |
Prerequisites
Node.js 18+
A Firebase project (a free/throwaway one is fine)
Firebase setup
Authentication → enable a sign-in method. Email/Password is recommended (works on
localhostand any tunnel with no extra config). Google works too, but see the caveat below.Firestore Database → create it (Native mode). Required even if empty — the profile lookup errors if no database exists.
Service account (Project settings → Service accounts → Generate new private key) → download the JSON. This lets the server read Firestore. Keep it outside the repo.
Grab your web app config (Project settings → General → Your apps) for the
FIREBASE_*values.
Configuration
cp .env.example .envFill in .env (see comments in .env.example):
Variable | What it is |
| Your Firebase project id |
| Web API key (public — shipped to the browser) |
|
|
| Absolute path to the service-account JSON |
| Long random string for signing this server's JWTs |
| Only needed behind a tunnel (see below) |
Run
npm install
npm run build # type-check + compile
npm run dev # watch mode on http://localhost:8000Quick health check:
curl http://localhost:8000/.well-known/oauth-authorization-server
curl -i -X POST http://localhost:8000/mcp \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}' # -> 401 + WWW-AuthenticateTest the full flow (MCP Inspector)
npm run inspectIn the Inspector: transport Streamable HTTP, URL http://localhost:8000/mcp, Connect. It runs
OAuth discovery → registration → opens the sign-in page. Sign in with a test user (email/password),
then call whoami — it returns that user's real identity.
On a fresh project with no Firestore documents, whoami returns the real uid/email with
plan: free. To see a real plan, seed a profile:
npm run seed -- <FIREBASE_UID> test@example.com "Test User" premium(Get <FIREBASE_UID> from Firebase console → Authentication → Users. Pass free instead of
premium for a free account.)
Add it to claude.ai
Custom connectors require a paid Claude plan and a public HTTPS URL.
Tunnel to the local server:
cloudflared tunnel --url http://localhost:8000 # or: ngrok http 8000Set
PUBLIC_BASE_URLin.envto the tunnel URL and restart (all OAuth URLs derive from it).In claude.ai → Settings → Connectors → Add custom connector → paste
https://<your-tunnel-host>/mcp.Sign in on the connector's page, then ask Claude to run
whoami.
Caveats
Google sign-in needs an authorized domain.
signInWithPopuprequires the app origin to be in the Firebase project's Authorized domains.localhostis allowed by default; ad-hoc tunnel hosts are not (you'd add them). Email/password has no such restriction.Project alignment. The ID token's
aud, the client-configprojectId, and the adminprojectIdmust all be the same Firebase project.The profile/plan is snapshotted into the access token at login (fine for a prototype).
Security notes
Never commit
.envor the service-account JSON — both are gitignored.The web API key is intentionally public; the service-account key is a secret — keep it out of the repo and rotate it if exposed.
Replace the in-memory token layer before any real deployment.
License
MIT — see LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/hasnaties/mcp-connector-test'
If you have feedback or need assistance with the MCP directory API, please join our Discord server