MCP Gateway Demo
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@MCP Gateway DemoShow the authorization details and list available secure tools"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Gateway Demo
Express 实现的 MCP Server,带完整 OAuth 2.1 授权(符合 MCP Authorization 与 RFC9728 Protected Resource Metadata)。
功能
MCP Server(资源服务器)
Streamable HTTP 传输:
POST /mcp、GET /mcp(SSE)未认证请求返回
401,并带WWW-Authenticate: Bearer resource_metadata=..., scope=...JWT 校验(audience = MCP 资源 URI),不足 scope 时返回
403 insufficient_scope
Protected Resource Metadata(RFC9728)
GET /.well-known/oauth-protected-resource返回resource、authorization_servers、scopes_supported可选:
GET /.well-known/oauth-protected-resource/mcp
内置 Authorization Server(Demo)
GET /.well-known/oauth-authorization-server(RFC8414)GET /.well-known/openid-configuration(含code_challenge_methods_supported)GET /oauth/authorize(授权码 + PKCE S256)POST /oauth/token(换发 JWT,aud= 请求中的resource)
环境变量
变量 | 说明 | 示例 |
| HTTP 端口 |
|
| MCP 资源 canonical URI(用于 aud 校验与 metadata) |
|
| 授权服务器 issuer(可与 MCP 同源) |
|
| HS256 密钥(生产建议 RS256 + JWKS) | 至少 32 字符 |
复制 .env.example 为 .env 并修改。
启动
npm install
npm start开发时:
npm run dev联调(MCP 客户端,如 Cursor)
发现
客户端先请求 MCP 端点(无 token),收到401后从WWW-Authenticate取resource_metadata,再 GET 该 URL 得到authorization_servers、scopes_supported。授权
客户端用authorization_servers中任一项作为 issuer,请求其/.well-known/oauth-authorization-server,得到authorization_endpoint、token_endpoint、code_challenge_methods_supported。
使用授权码 + PKCE(S256),并在授权与 token 请求中带上resource= MCP 的 canonical URI(如http://localhost:3000)。访问 MCP
请求POST/GET /mcp时在 Header 中带Authorization: Bearer <access_token>,且Accept: application/json, text/event-stream。
本地测试时,可将 MCP 服务器 URL 设为 http://localhost:3000,授权服务器与资源服务器均为同源,使用上述发现与授权流程即可。
手动测试(curl)
# 1. 未认证 → 401
curl -i -X POST http://localhost:3000/mcp -H "Content-Type: application/json" -d '{}'
# 2. Protected Resource Metadata
curl -s http://localhost:3000/.well-known/oauth-protected-resource
# 3. Authorization Server 发现
curl -s http://localhost:3000/.well-known/oauth-authorization-server
# 4. 授权(浏览器或带 approve=yes 的 GET)
# 生成 PKCE:node -e "const c=require('crypto'); const v=c.randomBytes(32).toString('base64url'); console.log('verifier:', v, 'challenge:', c.createHash('sha256').update(v).digest('base64url'));"
# 在浏览器打开 /oauth/authorize?response_type=code&client_id=test&redirect_uri=http://localhost:3000/callback&scope=mcp:read%20mcp:write&state=1&code_challenge=<CHALLENGE>&code_challenge_method=S256&resource=http://localhost:3000
# 同意后从 redirect 的 URL 中取出 code
# 5. 换 Token
curl -s -X POST http://localhost:3000/oauth/token -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&code=<CODE>&redirect_uri=http://localhost:3000/callback&client_id=test&code_verifier=<VERIFIER>&resource=http://localhost:3000"
# 6. 带 Token 调用 MCP
curl -s -X POST http://localhost:3000/mcp -H "Content-Type: application/json" -H "Accept: application/json, text/event-stream" \
-H "Authorization: Bearer <ACCESS_TOKEN>" \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"1.0"}}}'安全说明
生产环境请使用 HTTPS。
JWT_SECRET需足够强,或改用 RS256 + JWKS。本 Demo 允许的
redirect_uri包含 localhost;生产应严格限制为已注册的 redirect_uri。
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/yylgit/mcp-gateway-demo'
If you have feedback or need assistance with the MCP directory API, please join our Discord server