A Cloudflare Workers-based MCP server with built-in OAuth authentication
Model Context Protocol (MCP) Server + Access OAuth
This is a Model Context Protocol (MCP) server that supports remote MCP connections, with Access OAuth built-in.
You can deploy it to your own Cloudflare account, and after you create your own Access for SaaS OIDC app, you'll have a fully functional remote MCP server that you can build off. Users will be able to connect to your MCP server by signing in with your connected Access Identity Provider.
The MCP server (powered by Cloudflare Workers):
- Acts as OAuth Server to your MCP clients
- Acts as OAuth Client to your real OAuth server (in this case, Access)
Getting Started
Clone the repo & install dependencies: npm install
For Production
Create a new Access for SaaS OIDC App:
- For the Authorization callback URL, specify
https://mcp-access-oauth.<your-subdomain>.workers.dev/callbackandhttp://localhost:8788/callbackif you are developing locally. - Note your Client ID and Client secret.
- Set secrets via Wrangler
wrangler secret put ACCESS_CLIENT_ID
wrangler secret put ACCESS_CLIENT_SECRET
wrangler secret put ACCESS_TOKEN_URL
wrangler secret put ACCESS_AUTHORIZATION_URL
wrangler secret put ACCESS_JWKS_URL
wrangler secret put COOKIE_ENCRYPTION_KEY # add any random string here e.g. openssl rand -hex 32
Set up a KV namespace
- Create the KV namespace:
wrangler kv:namespace create "OAUTH_KV" - Update the Wrangler file with the KV ID
Deploy & Test
Deploy the MCP server to make it available on your workers.dev domain
wrangler deploy
Test the remote server using Inspector:
npx @modelcontextprotocol/inspector@latest
Enter https://mcp-access-oauth.<your-subdomain>.workers.dev/sse and hit connect. Once you go through the authentication flow, you'll see the Tools working:
You now have a remote MCP server deployed!
Access Control
This MCP server uses Access for authentication. All authenticated Access users can access basic tools like "add".
The "generateImage" tool is restricted to specific Access users listed in the ALLOWED_USERNAMES configuration:
// Add user emails for image generation access
const ALLOWED_EMAILS = new Set(["employee1@mycompany.com", "teammate1@mycompany.com"]);
Access the remote MCP server from Claude Desktop
Open Claude Desktop and navigate to Settings -> Developer -> Edit Config. This opens the configuration file that controls which MCP servers Claude can access.
Replace the content with the following configuration. Once you restart Claude Desktop, a browser window will open showing your OAuth login page. Complete the authentication flow to grant Claude access to your MCP server. After you grant access, the tools will become available for you to use.
{
"mcpServers": {
"math": {
"command": "npx",
"args": [
"mcp-remote",
"https://mcp-access-oauth.<your-subdomain>.workers.dev/sse"
]
}
}
}
Once the Tools (under 🔨) show up in the interface, you can ask Claude to use them. For example: "Could you use the math tool to add 23 and 19?". Claude should invoke the tool and show the result generated by the MCP server.
For Local Development
If you'd like to iterate and test your MCP server, you can do so in local development.
- For the Homepage URL, specify
http://localhost:8788 - For the Authorization callback URL, specify
http://localhost:8788/callback - Note your Client ID and generate a Client secret.
- Create a
.dev.varsfile in your project root with:
ACCESS_CLIENT_ID=<your client id>
ACCESS_CLIENT_SECRET=<your client secret>
ACCESS_TOKEN_URL=<your Access for SaaS token url>
ACCESS_AUTHORIZATION_URL=<your Access for SaaS authorization url>
ACCESS_JWKS_URL=<your Access for SaaS JWKS url>
COOKIE_ENCRYPTION_KEY=COOKIE_ENCRYPTION_KEY
Develop & Test
Run the server locally to make it available at http://localhost:8788
wrangler dev
To test the local server, enter http://localhost:8788/sse into Inspector and hit connect. Once you follow the prompts, you'll be able to "List Tools".
Using Claude and other MCP Clients
When using Claude to connect to your remote MCP server, you may see some error messages. This is because Claude Desktop doesn't yet support remote MCP servers, so it sometimes gets confused. To verify whether the MCP server is connected, hover over the 🔨 icon in the bottom right corner of Claude's interface. You should see your tools available there.
Using Cursor and other MCP Clients
To connect Cursor with your MCP server, choose Type: "Command" and in the `Co
Tools (2)
addPerforms basic addition of numbersgenerateImageGenerates an image based on provided prompts, restricted to authorized usersEnvironment Variables
ACCESS_CLIENT_IDrequiredClient ID from Cloudflare Access for SaaS OIDC appACCESS_CLIENT_SECRETrequiredClient secret from Cloudflare Access for SaaS OIDC appACCESS_TOKEN_URLrequiredAccess for SaaS token URLACCESS_AUTHORIZATION_URLrequiredAccess for SaaS authorization URLACCESS_JWKS_URLrequiredAccess for SaaS JWKS URLCOOKIE_ENCRYPTION_KEYrequiredRandom string for cookie encryptionConfiguration
{"mcpServers": {"math": {"command": "npx", "args": ["mcp-remote", "https://mcp-access-oauth.<your-subdomain>.workers.dev/sse"]}}}