github-mcp-gateway
Provides tools for interacting with GitHub repositories, issues, pull requests, file contents, and search through the GitHub API.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@github-mcp-gatewaylist my open issues"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
github-mcp-gateway
A remote MCP server that gives MCP clients — Claude Code, Claude.ai/Cowork, or any spec-compliant client — authenticated access to GitHub: repos, issues, pull requests, file contents, and search, over a proper OAuth 2.1 handshake. Runs on Cloudflare Workers.
Status: deployed and live at
https://github-mcp-gateway.mazzewhiteley93.workers.dev/mcp.
Why this exists, and the shape of it
An MCP client can't talk to GitHub's API directly with your credentials — it needs something in between that (a) proves who's asking, (b) holds a real GitHub token, and (c) translates tool calls into GitHub API requests. This Worker is that middle layer, and it plays two OAuth roles at once:
OAuth client to GitHub (upstream) — it sends you through GitHub's own consent screen and exchanges the resulting code for a token.
OAuth server to the MCP client (downstream) — the client never sees your GitHub token. It gets its own token from this Worker, scoped to this Worker only.
@cloudflare/workers-oauth-provider(Cloudflare's own library) implements that downstream half: OAuth 2.1, PKCE, and Dynamic Client Registration (DCR) — DCR specifically is what lets a client register itself on first connection without you manually creating credentials for it.
MCP client ──OAuth (DCR, PKCE)──▶ this Worker ──OAuth (GitHub App)──▶ GitHub
│
▼
Workers KV (OAUTH_KV)
state · refresh tokens · approved clientsWhy a GitHub App instead of a classic OAuth App
Cloudflare's own template uses a classic OAuth App, which is simpler but gives you all-or-nothing repo scope and a token that never expires unless you build expiry yourself. This build uses a GitHub App with the user-to-server token flow instead:
Per-repo scoping at install time — you pick exactly which repos this server can touch (GitHub's own installation picker), not "everything this account can see."
Tokens that actually expire and renew themselves — with "Expire user authorization tokens" turned on, GitHub hands back an 8-hour access token plus a 6-month refresh token, and using the refresh token mints a new pair of both. As long as you use this server at least once every 6 months, it never goes stale and you never have to manually mint a new token.
That refresh cycle is handled by src/github-client.ts, independently of
Cowork's own session with this Worker — see Token lifecycle, below.
Related MCP server: Cloudflare GitHub OAuth MCP Server
1. Create the GitHub App
Go to github.com/settings/apps/new (personal account) or github.com/organizations/<org>/settings/apps/new (org-owned — use this if you want it under an org rather than your personal account).
Field | Value |
GitHub App name |
|
Homepage URL |
|
Callback URL |
|
Webhook | Uncheck "Active" — this server doesn't use webhooks |
Repository permissions → Contents | Read & write |
Repository permissions → Issues | Read & write |
Repository permissions → Pull requests | Read & write |
Repository permissions → Metadata | Read (mandatory, auto-selected) |
Where can this GitHub App be installed? | Only on this account |
After creating it:
Note the Client ID at the top of the app's settings page.
Click Generate a new client secret — copy it now, it's shown once.
Under Optional features, find User-to-server token expiration and click Opt-in. This is what makes refresh tokens exist at all — skip it and the server will fail at the callback step with a clear error telling you to come back and do this.
Go to Install App (left sidebar) and install it on your account, choosing Only select repositories — pick the repos you want this server to reach (you can add more later from the same screen).
You'll want a second GitHub App, identically configured but with the
callback URL http://localhost:8788/callback, if you plan to iterate with
wrangler dev locally before deploying.
2. Create the KV namespace
cd github-mcp-gateway
npm install
npx wrangler kv namespace create OAUTH_KVCopy the returned id into wrangler.jsonc, replacing
REPLACE_WITH_KV_NAMESPACE_ID.
3. Set secrets and the allowlist var
npx wrangler secret put GITHUB_APP_CLIENT_ID
npx wrangler secret put GITHUB_APP_CLIENT_SECRET
openssl rand -hex 32 | npx wrangler secret put COOKIE_ENCRYPTION_KEYALLOWED_GITHUB_LOGINS is a plain var, not a secret — add it to
wrangler.jsonc under a top-level "vars" block:
"vars": {
"ALLOWED_GITHUB_LOGINS": "mazze93"
}This is a defense-in-depth allowlist checked at the OAuth callback: even
though only you can complete the GitHub consent screen for your own account,
this makes the gate explicit in code rather than implicit in "whoever can
authenticate." Confirm mazze93 is actually your GitHub login — it's
inferred from your repo namespaces, not verified.
4. Deploy
npx wrangler deploy5. Connect a client
Point any MCP client at:
https://github-mcp-gateway.<your-subdomain>.workers.dev/mcpClaude Code:
claude mcp add --transport http github-mcp-gateway <url>Claude.ai / Cowork: add a custom MCP connector with that URL.
The client registers itself via DCR, redirects you through this server's consent screen, then GitHub's, and lands back with tools available.
Local development
cp .dev.vars.example .dev.vars # fill in the *local* GitHub App's credentials
npx wrangler devwrangler dev serves at http://localhost:8788 — point an MCP client (e.g.
the MCP Inspector) at http://localhost:8788/mcp.
Token lifecycle
Two independent token relationships exist, on different clocks:
Cowork ↔ this Worker. Standard OAuth 2.1 access/refresh tokens issued by
workers-oauth-provider. Cowork refreshes these itself, automatically, per the MCP spec — nothing to manage here.This Worker ↔ GitHub. An 8-hour access token + 6-month refresh token.
src/github-client.tschecks expiry before every GitHub API call and refreshes transparently when within 5 minutes of expiry, persisting the rotated pair toOAUTH_KVundergithub:tokens:{your-login}. This is deliberately not wired throughworkers-oauth-provider'stokenExchangeCallbackhook — that mechanism has an open upstream bug (props going stale after a refresh triggered re-auth loops; see References) — so it's handled directly in the tool layer instead, where it's simpler to reason about and test.
If GitHub's refresh token itself expires (unused for 6+ months) or you
revoke the app's access, the next tool call fails with a clear
ReauthorizationRequiredError message instructing you to disconnect and
reconnect in Cowork. There's no silent failure mode here — either it works
quietly in the background, or it tells you exactly what to do.
Tools
Module | Tools |
|
|
|
|
|
|
|
|
|
|
All list tools accept per_page and page for pagination.
github_merge_pull_request and github_delete_file are the two
destructive operations — irreversible via the tool itself once called.
The client should confirm with you before invoking either.
github_update_repo (description, homepage, topics) requires the GitHub
App to have the Administration repository permission. The app as
currently configured (Contents/Issues/PRs/Metadata) does not include it —
add the permission in the App settings and re-approve the installation to
enable this tool, or make those edits with the gh CLI instead.
Security notes / known upstream issues this build accounts for
CSRF, state replay, session fixation — handled in
src/oauth/workers-oauth-utils.tsvia a CSRF token + cookie pair on the consent form, one-time-use KV-backed state (10 min TTL), and a session-binding cookie (SHA-256 hash of the state token) that proves the browser completing the GitHub callback is the same one that started the flow.workers-oauth-providerIssue #133 — a path-handling bug in audience validation has, in some versions, broken Claude.ai/Cowork connections specifically. This build avoids adding path components to any resource indicator (the/mcpand/sseroutes are registered at the root ofapiHandlers, not nested under a longer path) as the documented workaround. If Cowork's first connection attempt fails at the token exchange step, this is the first thing to check upstream.Issue #108 (RFC 8707 audience validation with paths) — same root cause as above; same mitigation.
Issue #29 (redirect URI mismatch in production) — DCR-registered redirect URIs have been reported to behave differently in production vs.
wrangler devfor some clients. If Cowork's redirect fails only after deploying (and works locally), this is the known suspect.__Host-cookie prefix used throughout — guarantees (browser- enforced) that a cookie could only have been set by this exact origin over HTTPS, with noDomainattribute that could widen its scope.
References
Cloudflare Agents — Build a Remote MCP Server
cloudflare/workers-oauth-provider— the downstream OAuth 2.1 implementation this depends onGitHub Docs — Refreshing user access tokens
workers-oauth-providerIssue #133 (Claude.ai connection failures) and Issue #108 (RFC 8707 path audience bug)
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/mazze93/github-mcp-gateway'
If you have feedback or need assistance with the MCP directory API, please join our Discord server