thalovant-mcp
OfficialClick on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@thalovant-mcplist my available runtimes"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Thalovant MCP Server
Public-ready MCP server for Thalovant control-plane and hub runtime APIs.
It uses the official Thalovant Node.js SDK and the production MCP TypeScript SDK over stdio and Streamable HTTP, so it works with local MCP hosts such as Claude Desktop, Codex, Cursor, and remote MCP clients.
What It Includes
stdio transport for local agents.
Streamable HTTP transport at
/mcpfor remote agents.OAuth-style protected resource metadata at
/.well-known/oauth-protected-resource.Static bearer tokens for simple/private deployments.
JWT/JWKS and OAuth token introspection for production remote deployments.
Per-principal Thalovant credentials and tool policy.
Host/origin validation, CORS, rate limiting, body limits, secure headers, and session binding.
Optional resumability event storage and JSONL audit logs.
Docker, Compose, Kubernetes, CI, npm package metadata, and MCP registry
server.json.
Related MCP server: Rancher MCP Server
Why TypeScript
Thalovant publishes SDKs for Python, Node.js, Go, and Rust. This server uses Node.js because @thalovant/sdk directly exposes the Thalovant control plane, identity loading, WSS/HTTPS/MQTT runtime clients, memory, analytics, and context helpers, while @modelcontextprotocol/sdk is the best-supported path for cross-agent stdio and Streamable HTTP servers.
Install
npm install
npm run buildNode.js 20 or newer is required.
Local Stdio
Public hub discovery does not need Thalovant credentials. Private control-plane tools and runtime hub tools read credentials only from the MCP server environment or server-side principal credential files. Do not pass API tokens or passwords through chat or tool arguments.
export THALOVANT_ACCESS_TOKEN="..."
# or
export THALOVANT_EMAIL="you@example.com"
export THALOVANT_PASSWORD="..."
export THALOVANT_PROFILE="prod"
export THALOVANT_API_URL="https://api.thalovant.com"
npm startThe server speaks MCP over stdio and does not write logs to stdout.
Runtime hub tools load local identities in this order:
identityFiletool argument.configPathorprofiletool argument.Thalovant SDK environment identity variables.
The default Thalovant SDK config profile.
Keep Thalovant identity files secret. The SDK expects protected config files such as ~/.config/thalovant/config.yaml with mode 0600.
Streamable HTTP
Remote mode uses MCP Streamable HTTP at /mcp and requires bearer authentication by default.
export MCP_TRANSPORT="http"
export MCP_HTTP_HOST="127.0.0.1"
export MCP_HTTP_PORT="3000"
export MCP_HTTP_AUTH_TOKEN="$(openssl rand -hex 32)"
export MCP_HTTP_ALLOWED_HOSTS="127.0.0.1:3000,localhost:3000"
npm run start:httpClients connect to:
http://127.0.0.1:3000/mcp
Authorization: Bearer <token>Health checks are available at /healthz and /readyz.
For public deployments, set the public URL and exact host/origin allowlists:
export MCP_HTTP_HOST="0.0.0.0"
export MCP_HTTP_PORT="3000"
export MCP_PUBLIC_URL="https://mcp.example.com"
export MCP_HTTP_ALLOWED_HOSTS="mcp.example.com"
export MCP_HTTP_ALLOWED_ORIGINS="https://agent.example.com"Remote Auth
Use static bearer tokens only for local, private, or single-tenant deployments:
export MCP_HTTP_AUTH_TOKEN="$(openssl rand -hex 32)"
# or
export MCP_HTTP_AUTH_TOKENS="token-a,token-b"Use JWT/JWKS for production resource-server validation:
export MCP_HTTP_AUTH_MODE="jwt"
export MCP_OAUTH_ISSUER="https://auth.example.com/"
export MCP_OAUTH_JWKS_URL="https://auth.example.com/.well-known/jwks.json"
export MCP_OAUTH_AUDIENCE="https://mcp.example.com/mcp"
export MCP_OAUTH_AUTHORIZATION_SERVERS="https://auth.example.com/"
export MCP_OAUTH_REQUIRED_SCOPES="mcp:thalovant"Use introspection when your authorization server issues opaque tokens:
export MCP_HTTP_AUTH_MODE="introspection"
export MCP_OAUTH_INTROSPECTION_URL="https://auth.example.com/oauth2/introspect"
export MCP_OAUTH_CLIENT_ID="mcp-server-client"
export MCP_OAUTH_CLIENT_SECRET="..."
export MCP_OAUTH_AUDIENCE="https://mcp.example.com/mcp"
export MCP_OAUTH_AUTHORIZATION_SERVERS="https://auth.example.com/"
export MCP_OAUTH_REQUIRED_SCOPES="mcp:thalovant"The server publishes protected resource metadata at:
https://mcp.example.com/.well-known/oauth-protected-resource401 responses include WWW-Authenticate with a resource_metadata pointer for MCP clients that support OAuth discovery.
Principal Credentials
For multi-user remote deployments, do not share one Thalovant access token across all MCP users. Map each authenticated MCP principal to its own Thalovant control-plane token, runtime identity, and tool policy.
Single file:
export THALOVANT_PRINCIPAL_CREDENTIALS_FILE="/run/secrets/thalovant-principals.json"Directory mode:
export THALOVANT_PRINCIPAL_CREDENTIALS_DIR="/run/secrets/thalovant-principals"Directory files are named <sha256(principal-id)>.json. The server checks the OAuth subject, principal id, and client id. See examples/principal-credentials.sample.json.
Keep this disabled for multi-user deployments unless you intentionally want every remote principal to use the server environment's Thalovant credentials:
export THALOVANT_ALLOW_SHARED_CREDENTIALS="false"Runtime identityFile, configPath, profile, and fromEnv tool arguments are disabled for remote principals by default. Set MCP_HTTP_ALLOW_CLIENT_CREDENTIAL_PATHS=true only for trusted private deployments.
Policy, Audit, And Resumability
Global tool policy:
export MCP_TOOL_ALLOWLIST="thalovant_*"
export MCP_TOOL_DENYLIST="thalovant_delete_memory_item"Per-principal credential files may also include allowedTools and deniedTools.
Audit logs:
export MCP_AUDIT_LOG="stderr" # off, stderr, file, or both
export MCP_AUDIT_LOG_FILE="/var/log/thalovant-mcp/audit.jsonl"
export MCP_AUDIT_INCLUDE_ARGS="false"Audit entries are JSONL and credential-shaped fields are redacted.
Streamable HTTP resumability defaults to an in-memory event store. Use a file-backed store for single-instance restarts:
export MCP_EVENT_STORE_FILE="/var/lib/thalovant-mcp/events.jsonl"HTTP Hardening
Bearer auth is required unless
MCP_HTTP_ALLOW_UNAUTHENTICATED=trueis explicitly set.Host headers are allowlisted to reduce DNS rebinding risk.
Browser
Originheaders are rejected unless they exactly matchMCP_HTTP_ALLOWED_ORIGINS.CORS exposes only MCP session/protocol headers.
Sessions use cryptographically random ids and are bound to the authenticated principal.
Request bodies are capped by
MCP_HTTP_MAX_BODY_BYTES, defaulting to 1 MiB.Fixed-window rate limiting defaults to 120 MCP requests per minute per client address.
Security headers include
nosniff,DENYframing, no referrer, and a restrictive CSP.
Useful HTTP environment variables:
MCP_HTTP_PATH=/mcp
MCP_HTTP_RATE_LIMIT_MAX=120
MCP_HTTP_RATE_LIMIT_WINDOW_MS=60000
MCP_HTTP_SESSION_TTL_MS=3600000
MCP_HTTP_MAX_BODY_BYTES=1048576
MCP_HTTP_ENABLE_JSON_RESPONSE=false
MCP_HTTP_TRUST_PROXY=falseClaude Desktop
{
"mcpServers": {
"thalovant": {
"command": "node",
"args": ["/home/goldyfruit/Development/Thalovant/mcp/dist/index.js"],
"env": {
"THALOVANT_PROFILE": "prod"
}
}
}
}Codex
Use the same stdio command in your MCP client config:
{
"mcpServers": {
"thalovant": {
"command": "node",
"args": ["/home/goldyfruit/Development/Thalovant/mcp/dist/index.js"],
"env": {
"THALOVANT_PROFILE": "prod"
}
}
}
}Tools
Read-only:
thalovant_config_statusthalovant_list_public_hubsthalovant_get_public_hubthalovant_list_hubsthalovant_get_hubthalovant_identity_statusthalovant_healthcheckthalovant_wait_for_eventthalovant_get_analytics_overviewthalovant_list_memory_itemsthalovant_get_memory_summarythalovant_get_memory_item
Writes or hub events:
thalovant_create_client_identitythalovant_askthalovant_send_actionthalovant_send_codethalovant_emit_eventthalovant_create_memory_itemthalovant_update_memory_itemthalovant_delete_memory_item
Tool outputs redact credential-shaped fields. thalovant_create_client_identity does not return secret identity material; pass savePath when you want the full identity written to a local file with mode 0600.
Development
npm run typecheck
npm test
npm run build
npm run test:smoke
npm run test:http
npm run bench
npm run bench:http
npm pack --dry-runLicense
MIT. This is the right default for a public integration server: it is permissive, compatible with the MIT Thalovant Node SDK and MCP TypeScript SDK, and does not force downstream agent or enterprise users into a reciprocal licensing model.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/thalovant/thalovant-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server