playbooks

home / mcp / secure mcp proxy server

Secure MCP Proxy Server

mcp-proxy with authentication

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "gws8820-secure-mcp-proxy": {
      "url": "http://remote-server.com/sse",
      "headers": {
        "API_ACCESS_TOKEN": "remote-access-token",
        "MCP_PROXY_API_TOKEN": "your-secret-token"
      }
    }
  }
}

You can run a secure MCP proxy to switch between transports, add API token authentication, and manage multiple MCP servers from one entry point. This lets clients connect over SSE or standard IO while keeping access controlled and logs visible through a simple, configurable setup.

How to use

Use the proxy to connect remote MCP servers over SSE or to expose local MCP servers to remote clients. You can run a single server or multiple named servers, and you can choose to connect to a remote SSE endpoint or run a local server behind the proxy. Authentication can be enabled globally or controlled per server.

How to install

Prerequisites you need before installation:

- Python runtime and a Python package manager (uv) for running the proxy.

Steps you will perform to install and start the proxy:

1) Install uv and set up the environment (examples shown assume a Unix-like shell):

# Install Python tool uv (or ensure it is available in your environment)
uv sync

# Run the proxy directly (single server example)
uv run python -m secure_mcp_proxy --port 3000 uvx mcp-server-fetch

Additional sections

Configuration and authentication help you control which endpoints are open and how servers are started.

Environment variables you may use:

MCP_PROXY_API_TOKEN=your-secret-token
API_ACCESS_TOKEN=token-for-remote-clients

Authentication and secure usage

Authentication is enabled when you set MCP_PROXY_API_TOKEN. If this token is set, you can mark individual MCP servers as requiring authentication using per-server settings in your configuration.

Examples and common patterns

- Connect to a remote SSE endpoint without authentication (CLI mode, single server, no token):

uv run python -m secure_mcp_proxy http://remote-server.com/sse

- Connect to a remote SSE endpoint with a streamable HTTP transport (remote MCP):

uv run python -m secure_mcp_proxy --transport streamablehttp http://remote-server.com/mcp

- Run with a named server configuration file (requires token for selective auth):

export MCP_PROXY_API_TOKEN=token
uv run python -m secure_mcp_proxy --named-server-config servers.json --port 3000 --host 0.0.0.0

Available tools

token_generator

Generates secure tokens for production or testing use cases within the proxy’s security features

status_endpoint

Provides a health/status endpoint to monitor the proxy and its managed MCP servers