Skip to content
MCP Front Logo MCP Front Logo

MCP Front

MCP Front

OAuth 2.1 proxy for Model Context Protocol

Quickstart GitHub

MCP Front is an authentication proxy that sits between Claude and your MCP servers. It handles user authentication so your MCP servers don’t have to.

The problem with MCP authentication

Section titled “The problem with MCP authentication”

MCP servers only support static bearer tokens stored in configuration files. This works fine for personal use, but creates problems when you want to share MCP servers with your team. You can’t tell who’s using what. You can’t revoke access when someone leaves. And your database credentials are sitting in plaintext.

MCP Front fixes this by adding a proper authentication layer between Claude and your servers. Your MCP servers stay exactly the same. MCP Front validates authentication, then proxies authenticated requests to your servers. You get user attribution, access control, and audit logs without changing a line of MCP server code.

Authentication

Section titled “Authentication”

Claude redirects users to Google for authentication, and MCP Front validates their domain. You get individual user tracking and instant access revocation.

{
  "auth": {
    "kind": "oauth",
    "issuer": "https://mcp.company.com",
    "allowedDomains": ["company.com"],
    "googleClientId": { "$env": "GOOGLE_CLIENT_ID" },
    "googleClientSecret": { "$env": "GOOGLE_CLIENT_SECRET" },
    "jwtSecret": { "$env": "JWT_SECRET" },
    "encryptionKey": { "$env": "ENCRYPTION_KEY" }
  }
}
Or use bearer tokens

For development or alternative MCP clients, you can use static bearer tokens. Map server names to lists of valid tokens. Note: Claude.ai only supports OAuth, so bearer tokens are for testing or other clients.

{
  "auth": {
    "kind": "bearerToken",
    "tokens": {
      "linear": [{ "$env": "MY_ACCESS_TOKEN" }]
    }
  }
}

Try it in 30 seconds

Section titled “Try it in 30 seconds”
Terminal window
# Install and run locally
go install github.com/dgellow/mcp-front/cmd/mcp-front@main


# Create a minimal config
cat > config.json << 'EOF'
{
  "version": "v0.0.1-DEV_EDITION_EXPECT_CHANGES",
  "proxy": {
    "name": "Test Proxy",
    "addr": ":8080",
    "auth": {
      "kind": "bearerToken",
      "tokens": {
        "echo": ["test-123"]
      }
    }
  },
  "mcpServers": {
    "echo": {
      "transportType": "stdio",
      "command": "sh",
      "args": ["-c", "echo '{\"jsonrpc\":\"2.0\",\"id\":1,\"result\":{\"capabilities\":{}}}' && cat"]
    }
  }
}
EOF


# Run it
mcp-front -config config.json

Then connect from Claude with URL http://localhost:8080/sse and token test-123. The echo server will mirror your requests back.

Built for production

Section titled “Built for production”

MCP Front uses OAuth 2.1 with PKCE, the latest standard. It currently supports Google Cloud OAuth clients — integrates directly with Google Workspace SSO, Firestore for persistent storage.

The code is clean, simple Go.