MongoDB MCP Server
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MongoDB MCP Serverlist all databases"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
π MongoDB MCP Server
A ready-to-use integration of the MongoDB MCP Server with multiple deployment modes β from a simple local launcher to a fully secured RBAC gateway with Keycloak authentication.
Explore how to connect AI agents and LLM clients (Claude, VS Code Copilot, Cursor, etc.) to your MongoDB databases through the Model Context Protocol.
π Table of Contents
# | Section | Description |
1 | Compare the three available modes | |
2 | Get running in 2 minutes (basic mode) | |
3 | Directory layout overview | |
4 | Built-in MCP diagnostic client | |
5 | Connect VS Code to the MCP Server | |
6 | Run the full stack with containers | |
7 | Links to detailed guides | |
8 | All available commands at a glance | |
9 | Official docs and specifications |
Related MCP server: mcp-mongo
π Deployment Modes
This project supports three deployment modes, each adding a layer of security on top of the previous one:
π’ Basic Mode β Direct Connection
The simplest setup. The MCP Server runs locally and accepts connections without authentication. Best for local development and quick testing.
ββββββββββββββ ββββββββββββββββ
β Client βββββββββββ>β MCP Server β
β (Agent) β :8008 β (MongoDB) β
ββββββββββββββ ββββββββββββββββWhen to use: Solo development, local experiments, testing tools.
π See Quick Start below.
π‘ Proxy Mode β OAuth 2.1 Authentication
Adds Keycloak as an OAuth 2.1 Authorization Server and a reverse proxy that validates Bearer tokens before forwarding to the MCP Server. Implements the Delegated Authorization pattern.
ββββββββββββββ Bearer ββββββββββββ ββββββββββββββββ
β Client βββtokenββ>β Proxy βββββββββββ>β MCP Server β
β (Agent) β β (RS) β (no auth) β (MongoDB) β
ββββββββββββββ ββββββ¬ββββββ ββββββββββββββββ
β JWKS
ββββββ΄ββββββ
β Keycloak β
β (AS) β
ββββββββββββWhen to use: Shared environments, multiple users, audit requirements.
π See
iac/auth-proxy/for the proxy implementation.
π΄ Gateway Mode β RBAC (Role-Based Tool Filtering)
The most secure mode. Extends Proxy Mode by inspecting MCP messages and filtering tools based on the user's Keycloak realm role. Different users see and can execute different sets of tools.
ββββββββββββββ Bearer ββββββββββββββββ ββββββββββββββββ
β Client βββtokenββ>β RBAC Gateway βββββββββββ>β MCP Server β
β (Agent) β β :4040 β (no auth) β (MongoDB) β
ββββββββββββββ ββββββββ¬ββββββββ ββββββββββββββββ
β JWKS + roles
ββββββ΄ββββββ
β Keycloak β
β (AS) β
ββββββββββββRole | Mode | Access Level |
π | allow | Full access β all tools (RW) |
π | allow | 14 specific tools (RO) |
ποΈ | allow | 5 specific tools (RW) |
π€ | deny | All except |
When to use: Production, teams with different access levels, compliance.
π See doc/gateway.md for the full guide: architecture, step-by-step setup, Keycloak curl examples, token inspection, and RBAC configuration.
π Quick Start
Prerequisites
Node.js v18+
A MongoDB connection string (Atlas or local)
1. Install dependencies
npm install2. Configure environment
cp .env.example .envEdit .env and set your MongoDB connection string:
MDB_MCP_CONNECTION_STRING=mongodb+srv://user:password@cluster.mongodb.net3. Start the MCP Server
npm run mcp:wrapper:start========================================
MongoDB MCP Server
========================================
Status : running
URL : http://127.0.0.1:8008
Endpoint : http://127.0.0.1:8008/mcp
========================================4. Verify with the test client
npm run mcp:client:startAll 7 diagnostic checks should pass (connect, ping, list tools, call tool, list resources, read resource, shutdown).
π Project Structure
mongodb-mcp/
βββ src/
β βββ wrapper/ # π’ MCP Server launcher
β β βββ index.js # Entry point
β β βββ McpServerLauncher.js # Process manager (env, spawn, shutdown)
β βββ gateway/ # π΄ RBAC Gateway (OOP, SOLID/GRASP)
β β βββ index.js # Entry point β config + startup
β β βββ GatewayServer.js # Controller β HTTP server orchestration
β β βββ TokenVerifier.js # JWT/JWKS token verification
β β βββ RoleResolver.js # Role resolution + tool permissions
β β βββ McpInterceptor.js # MCP message filtering/blocking
β β βββ ProxyHandler.js # HTTP reverse proxy to upstream
β βββ client/index.js # π§ͺ MCP test client (direct & auth modes)
βββ cfg/
β βββ roles.json # π§ Role-to-tools mapping config
βββ iac/
β βββ keycloak/
β β βββ realm-export.json # π Keycloak realm (roles, users, scopes)
βββ doc/
β βββ gateway.md # π Full RBAC gateway guide
βββ docker-compose.yml # π³ Keycloak + MCP Server + Gateway
βββ .env # βοΈ Environment configuration
βββ .vscode/mcp.json # π VS Code Copilot MCP configπ§ͺ Test Client
The built-in test client implements the full MCP lifecycle and supports both direct and authenticated modes:
# π’ Direct β no authentication
npm run mcp:client:start
# π΄ Via Gateway β with Keycloak token (uses .env defaults)
npm run mcp:client:gateway
# π΄ Via Gateway β override user from the command line
npm run mcp:client:gateway -- --user mcp-admin --pass admin123The client runs a diagnostic suite: initialize, ping, list tools, call a tool, list resources, read a resource, and graceful shutdown.
π VS Code Copilot Integration
The .vscode/mcp.json file provides two server entries:
Server | URL | Auth |
|
| None |
|
| Bearer |
For mongodb-gateway, VS Code will prompt you to paste a Keycloak access token.
Obtain one first (replace user/password as needed):
curl -s -X POST http://localhost:8080/realms/mcp/protocol/openid-connect/token \
-d "grant_type=password" \
-d "client_id=mcp-client" \
-d "username=mcp-admin" \
-d "password=admin123" \
-d "scope=openid mcp:access" | node -e "
let d=''; process.stdin.on('data',c=>d+=c);
process.stdin.on('end',()=>console.log(JSON.parse(d).access_token));
"Copy the token and paste it when VS Code prompts. See doc/gateway.md for more details and all available users.
π³ Docker Compose
Run the complete stack with a single command:
npm run mcp:docker:startThis starts three services:
Service | Port | Description |
|
| π OAuth 2.1 Authorization Server |
|
| π MongoDB MCP Server |
|
| π‘οΈ RBAC Gateway (validates JWT + roles) |
Stop everything:
npm run mcp:docker:stopπ npm Scripts
Script | Mode | Description |
| π’ | Start the MCP Server locally |
| π’ | Run diagnostics β direct (no auth) |
| π΄ | Start the RBAC Gateway locally |
| π΄ | Run diagnostics β via gateway (with auth) |
| π‘ | Run diagnostics β via proxy (with auth) |
| π³ | Start all Docker services |
| π³ | Stop all Docker services |
π Documentation
Document | Description |
π΄ RBAC Gateway, full guide with Keycloak examples | |
π’ Securing Remote MongoDB MCP Servers: An RBAC Gateway Architecture |
π References
π License
ISC
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/ameksike/mongodb-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server