playbooks

home / mcp / fpe demo mcp server

FPE Demo MCP Server

Provides an MCP server demonstrating authentication and FF3 FPE over digits with stdio and HTTP transports.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "horizon-digital-engineering-fpe-demo-mcp": {
      "url": "https://<your-app>.ondigitalocean.app/mcp",
      "headers": {
        "HOST": "0.0.0.0",
        "FPE_KEY": "00112233445566778899aabbccddeeff",
        "AUTH_MODE": "authless or production depending on testing",
        "FPE_TWEAK": "abcdef12345678",
        "AUTH_JWT_AUD": "mcp-client",
        "AUTH_JWT_ISS": "issuer.example.com",
        "AUTH_JWT_SECRET": "demo-secret"
      }
    }
  }
}

You will run a lightweight MCP (Model Context Protocol) server that demonstrates authentication and FF3 format-preserving encryption (FPE) in a clear, learning-friendly setup. This server exposes two tools for encrypting and decrypting digit-only data and supports both local stdio and HTTP transports to connect with LLMs and other clients safely.

How to use

You connect to the local or remote MCP server using an MCP client. With the local setup, you run the server on your machine and interact through the stdio transport or via an HTTP endpoint for browser or web-based clients. The two available tools let you encrypt digit-only strings and decrypt previously encrypted payloads. The encryption output is labeled with a clear ENC_FPE: prefix to indicate it is ciphertext.

Typical usage patterns include developing and testing authentication modes, validating that input is normalized to digits before encryption, and confirming that the encrypted values are returned in the expected ENC_FPE:<digits> format. You can switch between auth modes for quick tests or stricter production-like behavior, and you can test with both local and remote MCP clients.

How to install

Prerequisites: you need Node.js and npm installed on your machine. You will also run commands to install dependencies, build the project, and start the server.

1) Install dependencies and build the project.

Configuration & security

The server supports multiple authentication modes to fit testing and production needs. You can use a shared secret for test scenarios or JSON Web Tokens (JWT) for stricter production-like setups. The FPE configuration uses a 32-character hexadecimal key and a hexadecimal tweak to drive the FF3 FPE process. Ensure these values are kept secure in your environment and rotated according to your security policy.

Examples and tools

Two tools are exposed by the MCP server in the demo: fpe_encrypt encrypts a digit-domain string and returns a value prefixed with ENC_FPE:, and fpe_decrypt decrypts a previously encrypted ENC_FPE: payload.

Troubleshooting

If you encounter connection issues, verify that the transport (stdio or HTTP) is reachable from your MCP client, confirm the authentication mode is set correctly, and ensure the FPE key and tweak are configured. Check that input data is normalized to digits before encryption and that the output follows the ENC_FPE:<digits> format.

Available tools

fpe_encrypt

Encrypts a digit-domain string, normalizes input to digits, and returns a value prefixed with ENC_FPE: to clearly indicate encrypted data.

fpe_decrypt

Decrypts a prior ENC_FPE:<digits> payload to recover the original digit-domain string.