What are the requirements for MCP OAuth Gateway?

MCP OAuth Gateway requires the following environment variables: MCP_GATEWAY_USERNAME (optional), MCP_GATEWAY_PASSWORD (optional). You'll also need a compatible MCP client like Claude Desktop or Claude Code.

Is MCP OAuth Gateway free to use?

Yes, MCP OAuth Gateway is open source and free to use. You can find the source code on GitHub.

What MCP clients support MCP OAuth Gateway?

MCP OAuth Gateway works with any MCP-compatible client including Claude Desktop (Anthropic's official desktop app), Claude Code (CLI tool), Cursor, and other editors with MCP support.

How do I configure MCP OAuth Gateway?

Configure MCP OAuth Gateway by adding it to your MCP client's config file. For Claude Desktop, edit claude_desktop_config.json and add the server configuration. See the Configuration section above for a ready-to-use example.

MCP OAuth Gateway MCP Server

Q: How do I install MCP OAuth Gateway?

Install MCP OAuth Gateway by running: git clone https://github.com/abj453demo/mcp-oauth-gateway.git && cd mcp-oauth-gateway && uv venv && source .venv/bin/activate && uv pip install -e .

Local setup required. This server has to be cloned and prepared on your machine before you register it in Claude Code.

Set the server up locally

Run this once to clone and prepare the server before adding it to Claude Code.

Run in terminal

git clone https://github.com/abj453demo/mcp-oauth-gateway.git
cd mcp-oauth-gateway
uv venv
source .venv/bin/activate
uv pip install -e .

Register it in Claude Code

After the local setup is done, run this command to point Claude Code at the built server.

Run in terminal

claude mcp add mcp-oauth-gateway -- node "<FULL_PATH_TO_MCP_OAUTH_GATEWAY>/dist/index.js"

Replace <FULL_PATH_TO_MCP_OAUTH_GATEWAY>/dist/index.js with the actual folder you prepared in step 1.

README.md

A transparent proxy server that simplifies authentication for MCP servers.

MCP OAuth Gateway

Quick Start

Prerequisites

Python 3.10+
uv (recommended) or pip

Create a GitHub OAuth App

Go to GitHub Developer Settings → OAuth Apps → New OAuth App
Set Authorization callback URL to http://localhost:8002/upstream/callback
Fill in any Application name and Homepage URL
Click Register application
Copy the Client ID and generate a Client Secret

Install & Run

# Clone and install
git clone https://github.com/abj453demo/mcp-oauth-gateway.git
cd mcp-oauth-gateway
uv venv && source .venv/bin/activate
uv pip install -e .

# Start the gateway (proxies to GitHub's remote MCP server)
mcp-oauth-gateway --port=8002 \
  --upstream-rs=https://api.githubcopilot.com/mcp/ \
  --upstream-client-id=<YOUR_GITHUB_CLIENT_ID> \
  --upstream-client-secret=<YOUR_GITHUB_CLIENT_SECRET> \
  --upstream-authorize-endpoint=https://github.com/login/oauth/authorize \
  --upstream-token-endpoint=https://github.com/login/oauth/access_token

Replace <YOUR_GITHUB_CLIENT_ID> and <YOUR_GITHUB_CLIENT_SECRET> with the values from your GitHub OAuth App.

The gateway will be available at http://localhost:8002. Point your MCP client at http://localhost:8002/mcp.

Gateway Credentials

When prompted at the gateway login screen (Screen 1):

Username: gateway_user
Password: gateway_pass

Configurable via MCP_GATEWAY_USERNAME and MCP_GATEWAY_PASSWORD environment variables.

After gateway login, you'll be redirected to GitHub for OAuth authorization (Screen 2).

Overview

The MCP OAuth Gateway is a transparent proxy that sits between an MCP client and an upstream MCP server. It implements its own OAuth 2.1 layer and chains it with the upstream's OAuth, so the client sees a single auth surface while two independent token sets are managed behind the scenes.

The gateway acts as both an Authorization Server (AS) and a Resource Server (RS) to the client. To the upstream, it acts as a regular OAuth client.

┌──────────┐       ┌─────────────────────┐       ┌─────────────────────────────┐
│  Client   │──────▶│  Gateway (AS + RS)   │──────▶│  GitHub OAuth + MCP Server   │
│ (Cascade) │◀──────│  localhost:8002      │◀──────│  api.githubcopilot.com/mcp/  │
└──────────┘       └─────────────────────┘       └─────────────────────────────┘

Client Registration

The gateway supports OAuth 2.0 Dynamic Client Registration (RFC 7591).

Client discovers the gateway via GET /.well-known/oauth-protected-resource, which returns the gateway as both the resource and its own authorization server.
Client fetches GET /.well-known/oauth-authorization-server to learn the gateway's OAuth endpoints (/authorize, /token, /register).
Client calls POST /register with its redirect URIs and grant types. The gateway stores the client in memory and returns a client_id and client_secret.

The gateway uses pre-configured credentials (--upstream-client-id / --upstream-client-secret) to authenticate with the upstream AS (e.g., a GitHub OAuth App). For upstreams that support it, dynamic registration is also available.

Two-Screen Auth Flow

The authorization flow chains two OAuth flows into one client-facing redirect sequence.

Client                     Gateway                    Upstream AS
  │                           │                           │
  ├─ GET /authorize ─────────▶│                           │
  │                           ├─ redirect to /login       │
  │◀──────────────────────────┤  (Screen 1: gateway creds)│
  │                           │                           │
  ├─ POST /login/callback ───▶│                           │
  │   (gateway_user/pass)     ├─ redirect to upstream ───▶│
  │                           │  /authorize (Screen 2)    │
  │◀──────────────────────────┤◀──────────────────────────┤
  │                           │                           │
  │  (user logs in upstream)  │                           │
  │───────────────────────────┼──▶ upstream callback ────▶│
  │                           │◀── upstream code ─────────┤
  │                           │                           │
  │                           ├─ exchange upstream code    │
  │                           │  for upstream tokens ─────▶
  │                           │◀── upstream access_token ─┤
  │                           │    + refresh_token        │
  │                           │                           │
  │◀─ redirect with gw code ──┤                           │
  │                           │                           │
  ├─ POST /token (gw code) ──▶│                           │
  │◀── concatenated tokens ───┤                           │

Step-by-step

Client → GET /authorize — Gateway stores the client's redirect URI, PKCE code_challenge, and state. Redirects to its own /login page.
**Screen 1: Gat

Environment Variables

MCP_GATEWAY_USERNAMEUsername for the gateway login screen

MCP_GATEWAY_PASSWORDPassword for the gateway login screen

Configuration

claude_desktop_config.json

{"mcpServers": {"oauth-gateway": {"command": "mcp-oauth-gateway", "args": ["--port", "8002", "--upstream-rs", "https://api.githubcopilot.com/mcp/", "--upstream-client-id", "YOUR_ID", "--upstream-client-secret", "YOUR_SECRET"]}}}

Try it

→Configure the MCP OAuth Gateway to proxy requests to my GitHub Copilot MCP server.

→How do I register a new client with the OAuth gateway using dynamic registration?

→Explain how the two-screen authentication flow works when connecting to an upstream MCP server.

Frequently Asked Questions

What are the key features of MCP OAuth Gateway?

Transparent proxying between MCP clients and upstream MCP servers. Chains local OAuth layer with upstream OAuth credentials. Supports OAuth 2.0 Dynamic Client Registration (RFC 7591). Manages dual token sets behind a single client-facing interface. Implements a two-screen authorization flow for secure access.

What can I use MCP OAuth Gateway for?

Simplifying authentication for MCP clients that need to access protected upstream resources. Adding an extra layer of security to existing MCP server deployments. Standardizing OAuth flows across multiple different MCP server integrations.

How do I install MCP OAuth Gateway?

Install MCP OAuth Gateway by running: git clone https://github.com/abj453demo/mcp-oauth-gateway.git && cd mcp-oauth-gateway && uv venv && source .venv/bin/activate && uv pip install -e .

What MCP clients work with MCP OAuth Gateway?

MCP OAuth Gateway works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep MCP OAuth Gateway docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.

Open Conare

View all cloud servers →