home / mcp / cloudflare mcp server
Template for a remote MCP server with GitHub OAuth - following best practices for building MCP servers so you can take this as a starting point for any MCP server you want to build!
Configuration
View docs{
"mcpServers": {
"coleam00-remote-mcp-server-with-auth": {
"url": "https://mcp-github-oauth.<your-subdomain>.workers.dev/mcp",
"headers": {
"NODE_ENV": "development",
"SENTRY_DSN": "https://[email protected]/project-id",
"DATABASE_URL": "postgresql://user:pass@host:5432/dbname",
"GITHUB_CLIENT_ID": "your_github_client_id",
"GITHUB_CLIENT_SECRET": "your_github_client_secret",
"COOKIE_ENCRYPTION_KEY": "your_random_encryption_key"
}
}
}
}You can run a remote MCP server that lets you securely read from and write to a PostgreSQL database through GitHub OAuth authentication. This setup supports schema discovery, read-only queries for all authenticated users, and write operations for privileged users, all with protection against SQL injection and optional production monitoring via Sentry. It runs on Cloudflare Workers for global access and scales with your needs.
Authenticate with your GitHub account to access the MCP server. Once connected, you can discover your database schema using listTables, run read-only queries with queryDatabase, and perform write operations with executeDatabase if you have the necessary permissions. The server exposes two transport options: a modern streamable HTTP endpoint at /mcp and a legacy Server-Sent Events endpoint at /sse. Prefer the /mcp endpoint for best performance and reliability.
Prepare your environment and install the necessary tooling to run the MCP server locally for development and testing.
# Prerequisites
node -v
wrangler -v
# If wrangler is not installed yet, install it globally
npm install -g wrangler
# Optional: set up a local test environment for OAuth and DB access as described belowThe MCP server connects directly to a PostgreSQL database and enforces read and write permissions based on GitHub usernames. All authenticated users can read data via listTables and queryDatabase, while executeDatabase requires explicit authorization. SQL injection protection and query validation are built in.
To test locally, you can follow the development flow: install Wrangler, configure environment variables for GitHub OAuth and your database, run the local dev server, and verify available tools through an MCP client or Inspector.
Write access to the database is restricted to specific GitHub usernames. This ensures that only trusted users can perform INSERT, UPDATE, DELETE, or DDL operations, while read access remains open to all authenticated users.
All tool calls are traced with the user context, and errors can be surfaced with user-friendly messages. Optional Sentry integration provides error tracking, performance monitoring, and detailed traces when enabled.
If you enable Sentry, you can capture errors, monitor performance, and trace tool calls with user context. Set the SENTRY_DSN secret and choose the Sentry-enabled build for production deployment.
In production, create a dedicated KV namespace for OAuth state, configure GitHub OAuth credentials, and deploy with Wrangler. You can test the remote server with an MCP client or Inspector by pointing it at the /mcp endpoint.
Discover database schema and structure. All authenticated users can use this tool to retrieve tables, columns, and constraints.
Execute read-only SQL queries. Allowed operations are SELECT and other read-only statements for all authenticated users.
Perform write operations such as INSERT, UPDATE, DELETE, and DDL. Access is restricted to privileged GitHub usernames.