mcp-auth-proxy

Name: mcp-auth-proxy
Rating: 2.4 (117 reviews)
Author: sigbit

by sigbit·★ 117·Score 47

An OAuth 2.1 authentication proxy for MCP servers that adds security without code changes.

securitydeveloper-toolsops-infra

Forks

Open issues

this month

Last commit

2d ago

Indexed

Overview

MCP Auth Proxy is a Go-based authentication proxy that sits in front of MCP servers to enforce OAuth 2.1/OIDC authentication. It supports various identity providers including Google, GitHub, Okta, Auth0, Azure AD, and Keycloak, with flexible user matching capabilities. The proxy works with stdio, SSE, and HTTP transports, converting stdio traffic to HTTP while maintaining original paths for SSE/HTTP. It's been tested with major MCP clients like Claude, ChatGPT, GitHub Copilot, and Cursor, smoothing out client-specific quirks for consistent authentication across platforms.

Try asking AI

After installing, here are 5 things you can ask your AI assistant:

you:Securing self-hosted MCP servers with enterprise authentication

you:Adding OAuth protection to file system or other MCP servers

you:Providing centralized authentication for multiple MCP deployments

you:How is this different from MCP Gateway?

you:Which MCP clients are supported?

When to choose this

Choose mcp-auth-proxy when you need to add OAuth/OIDC authentication to one or a few MCP servers without modifying their code, especially for self-hosted or independently managed deployments.

When NOT to choose this

Don't choose this if you need to centrally manage multiple MCP servers with aggregation, catalog integration, or advanced policy enforcement - those features are in MCP Gateway instead.

Comparable tools

mcp-gatewayoauth2-proxytraefik-auth

Installation

Download the binary from the [release page](https://github.com/sigbit/mcp-auth-proxy/releases)

For stdio transport:

./mcp-auth-proxy \
  --external-url https://{your-domain} \
  --tls-accept-tos \
  --password changeme \
  -- npx -y @modelcontextprotocol/server-filesystem ./

For SSE/HTTP transport with URL:

./mcp-auth-proxy \
  --external-url https://{your-domain} \
  --tls-accept-tos \
  --password changeme \
  -- https://your-mcp-server/mcp

Claude Desktop Configuration

Add to your Claude Desktop config.json:

{
  "mcpServers": {
    "auth-protected-server": {
      "command": "path/to/mcp-auth-proxy",
      "args": ["--external-url", "https://your-domain", "--tls-accept-tos", "--password", "your-password", "--", "npx", "-y", "@modelcontextprotocol/server-filesystem", "/"]
    }
  }
}

FAQ

How is this different from MCP Gateway?: MCP Auth Proxy is a lightweight authentication proxy for one or a few MCP servers, while MCP Gateway is a hub for orchestrating multiple MCP servers with aggregation, catalog integration, and centralized management.
Which MCP clients are supported?: The proxy has been verified with Claude (web/desktop), Claude Code, ChatGPT (web/desktop), GitHub Copilot, and Cursor. It smooths out client-specific quirks for consistent authentication across platforms.

Compare mcp-auth-proxy with

mcp-auth-proxy vs mcp-server-chart mcp-auth-proxy vs everything mcp-auth-proxy vs filesystem mcp-auth-proxy vs time mcp-auth-proxy vs sequentialthinking

GitHub →

Last updated 2026-05-17 · Auto-generated from public README + GitHub signals.