mcp-starter-kit
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-starter-kitsearch for documents about climate change"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Production-Ready MCP Server Boilerplate
Ship reliable MCP servers in minutes, not days. A production-ready foundation for building Model Context Protocol servers with built-in security, authentication, and observability.
This is a starter template β not a finished product. You are responsible for reviewing and securing any code before production use.
Don't build from scratch. This kit solves the "boring" parts of MCP server developmentβtransport management, error handling, and security boundariesβso you can focus on your tool's logic.
Works with Claude Code, Cursor, Windsurf, and any MCP-compatible client.
π Why this boilerplate?
Most MCP tutorials show you a "toy" server. This repo gives you a production-grade foundation.
π‘οΈ Secure by Design
SSRF Protection: Blocks requests to private/internal networks (IPv4 + IPv6), including cloud metadata endpoints (
169.254.169.254). DNS resolution is checked to prevent rebinding.JWT Security: Algorithm validation rejects
alg:none, HS384, and RS256 downgrade attacks. Expiry and tampering are verified with constant-time comparison.HMAC-SHA256 Webhook Signatures: Outbound webhooks are signed with
X-Webhook-Signaturewhen a secret is configured.DNS Rebinding Protection: HTTP transport validates
Hostheader against an allowlist.Sandboxed File Access: Prevents AI from reading/writing outside allowed directories, with symlink escape detection.
Strict Input Validation: All tool inputs are validated with Zod schemas.
Injection Protection: SQLite queries use strict parameter binding.
Security tested: 30+ security-focused test cases covering OWASP top threats (SSRF, injection, path traversal, auth bypass).
π Built for Real Projects
Authentication: Built-in strategies for API Key and JWT (configurable per env).
Rate Limiting: Token bucket algorithm to prevent abuse.
Observability: Structured JSON logging (via
pino) ready for CloudWatch/Datadog.
β‘ Developer Experience (DX)
Type-Safe:
strict: trueTypeScript configuration, ESM, fully typed.Testing: 228 tests (unit, integration, and E2E) with Vitest, including 30+ security-focused cases.
Dockerized: Multi-stage Dockerfile for immediate deployment.
Related MCP server: mcp-server-toolkit
π¦ What's Included
Feature | This Boilerplate | Basic Tutorials |
Transport | HTTP (SSE) + Stdio | Stdio only |
Validation | Zod Schemas | Manual / None |
Logging | Structured JSON |
|
Error Handling | Graceful + MCP Codes | Process crash |
CI/CD | GitHub Actions | None |
Reference Implementations
Includes 6 fully-typed tools to copy-paste patterns from:
database-query: Secure SQLite operations.api-connector: Fetch data from external REST APIs.file-manager: Safe file system operations (5 sub-tools).cache-store: TTL-based key-value cache with namespaces (5 sub-tools).semantic-search: Local RAG with embeddings (3 tools + 2 resources + 1 prompt).webhook-notifier: Async webhook delivery with task tracking (4 tools + 2 resources + 1 prompt).
π Quick Start
Prerequisites
Node.js 22+
WSL2 users: Use Node.js installed inside WSL, not Windows. See Troubleshooting.
npm 9+
1. Setup
git clone <your-repo-url> my-mcp-server
cd my-mcp-server
npm install2. Configure Environment
cp .env.example .env
# Edit .env if needed β defaults work out of the box3. Seed Sample Database
npm run db:seed # Populates local SQLite for testingNote: If the server is already running, restart it after seeding to pick up the new database.
4. Build
npm run build # Compiles TypeScript to dist/5. Run Development Server
npm run dev
# Starts server in hot-reload mode6. Verify with Inspector
npm run inspector
# Opens interactive debugger in your browser (uses dist/index.js)π§ Connecting to Clients
Claude Code
Copy the example config to your project root:
cp .mcp.json.example .mcp.json
# Edit paths in .mcp.json to match your setupOr add manually to your .mcp.json:
{
"mcpServers": {
"mcp-starter-kit": {
"command": "node",
"args": ["dist/index.js"],
"env": {
"LOG_LEVEL": "info",
"DB_PATH": "./data/sample.db",
"SANDBOX_ROOT": "./data/sandbox"
}
}
}
}Claude Desktop
Add to your claude_desktop_config.json:
{
"mcpServers": {
"my-production-server": {
"command": "node",
"args": ["/absolute/path/to/my-mcp-server/dist/index.js"]
}
}
}Cursor, Windsurf, & Others
See docs/SETUP.md for detailed connection guides.
π Project Architecture
Designed for scalability:
mcp-starter-kit/
βββ src/
β βββ index.ts # Entry point
β βββ server.ts # Central MCP registry
β βββ config/env.ts # Environment variable validation (Zod)
β βββ tools/
β β βββ database-query/ # SQLite CRUD tool
β β βββ api-connector/ # REST API tool
β β βββ file-manager/ # Sandboxed file operations tool
β β βββ cache-store/ # TTL-based key-value cache
β β βββ semantic-search/ # Local RAG with embeddings
β β βββ webhook-notifier/ # Async webhook delivery
β βββ lib/ # Shared utilities (Logger, Guardrails)
β βββ middleware/ # Auth & rate limiting
β βββ transport/ # stdio and HTTP transports
βββ tests/ # Integration tests & helpers
βββ scripts/ # CLI tools (db:seed, create-tool)
βββ docs/ # Detailed documentation
βββ docker/ # Dockerfile & docker-compose
βββ data/ # Sample DB & sandbox directoryπ Documentation
Document | Description |
Detailed setup, environment variables, client configuration | |
Step-by-step guide to creating new tools | |
Deploy via npm, Docker, or cloud services | |
Design decisions, security model, and data flow | |
Common errors and solutions | |
Test suite organization, writing tests, security checklist | |
Security policy, vulnerability reporting, feature inventory |
π οΈ Scripts
Command | Description |
| Start with hot-reload (tsx watch) |
| Build to |
| Run built server (stdio) |
| Run built server (HTTP) |
| Run all tests |
| Lint with ESLint |
| Type-check with tsc |
| Open MCP Inspector |
| Seed sample SQLite database |
| Scaffold a new tool |
| Run tests with coverage report |
License
MIT Β© 2026 Edge Craft Studio
Not affiliated with, endorsed by, or certified by Anthropic or the Agentic AI Foundation.
This server cannot be installed
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/junna-legal/mcp-starter-kit'
If you have feedback or need assistance with the MCP directory API, please join our Discord server