Building an MCP Server from Scratch — Day 4: Authentication & Production Hardening

Day 3 gave us a working SSE server over HTTP and Docker. But right now anyone who knows the URL can talk to your MCP server. Your GitHub token is exposed to anyone who connects.

In production, you need:

Authentication — Only authorized clients connect
Rate limiting — Prevent abuse and API cost spikes
CORS — Control which origins can access
Input validation — Reject malformed requests early
Environment validation — Fail fast on misconfiguration
Graceful shutdown — Properly close connections on restart

Let’s harden the server.

Step 1: Authentication Middleware#

We’ll add API key authentication via header. Each client gets a unique key. The server checks every SSE connection and every message POST against it.

Install dependencies (none new — we use built-in crypto):

1
cd github-issue-mcp
2
npm ls express @modelcontextprotocol/sdk zod

Create `src/auth.ts`#

1
// src/auth.ts — API key authentication
2

3
import crypto from "crypto";
4

5
/**
6
 * Simple API key authentication.
7
 * Keys configured via AUTH_KEYS env var (comma-separated).
8
 */
9
export class AuthService {
10
  private validKeys: Set<string>;
11

12
  constructor() {
13
    const keysFromEnv = process.env.AUTH_KEYS;
14
    if (keysFromEnv) {
15
      this.validKeys = new Set(keysFromEnv.split(",").map((k) => k.trim()));
16
      console.error(`🔑 Auth configured: ${this.validKeys.size} API key(s)`);
17
    } else {
18
      // Development mode — generate random key
19
      const defaultKey = crypto.randomBytes(32).toString("hex");
20
      this.validKeys = new Set([defaultKey]);
21
      console.error(`🔑 No AUTH_KEYS set. Generated dev key:`);
22
      console.error(`   ${defaultKey}`);
23
    }
24
  }
25

26
  validate(apiKey: string | undefined): boolean {
27
    if (!apiKey) return false;
28
    return this.validKeys.has(apiKey);
29
  }
30

31
  middleware() {
32
    return (req: any, res: any, next: any) => {
33
      const apiKey = req.headers["x-api-key"] as string | undefined;
34
      if (!apiKey) {
35
        res.status(401).json({ error: "Missing X-API-Key header" });
36
        return;
37
      }
38
      if (!this.validate(apiKey)) {
39
        res.status(403).json({ error: "Invalid API key" });
40
        return;
41
      }
42
      // Store key on request for rate limiter
43
      req.apiKey = apiKey;
44
      next();
45
    };
46
  }
47
}

What this does:#

Reads API keys from AUTH_KEYS env var (comma-separated)
Dev mode: generates a random 64-char hex key
Middleware returns 401 if header missing, 403 if invalid key
Stores the validated key on req.apiKey for downstream middleware

Usage:#

1
export AUTH_KEYS="sk-mcp-dev-abc123,sk-mcp-dev-xyz789"
2
node build/server.js

1
curl -H "X-API-Key: sk-mcp-dev-abc123" http://localhost:3001/sse

Step 2: Rate Limiting#

Without rate limiting, a rogue client could hammer your server, burning through GitHub API quota and compute costs.

Create `src/rate-limit.ts`#

1
// src/rate-limit.ts — Sliding-window rate limiter
2

3
export class RateLimiter {
4
  private buckets: Map<string, { count: number; windowStart: number }> = new Map();
5
  private maxRequests: number;
6
  private windowMs: number;
7

8
  constructor(maxRequests: number = 60, windowMs: number = 60_000) {
9
    this.maxRequests = maxRequests;
10
    this.windowMs = windowMs;
11
    console.error(`⏱️ Rate limit: ${maxRequests} req / ${windowMs / 1000}s`);
12
  }
13

14
  check(apiKey: string): boolean {
15
    const now = Date.now();
16
    const bucket = this.buckets.get(apiKey);
17

18
    if (!bucket || now - bucket.windowStart >= this.windowMs) {
19
      this.buckets.set(apiKey, { count: 1, windowStart: now });
20
      return true;
21
    }
22

23
    if (bucket.count >= this.maxRequests) return false;
24
    bucket.count++;
25
    return true;
26
  }
27

28
  cleanup() {
29
    const now = Date.now();
30
    for (const [key, bucket] of this.buckets) {
31
      if (now - bucket.windowStart >= this.windowMs) {
32
        this.buckets.delete(key);
33
      }
34
    }
35
  }
36

37
  middleware() {
38
    return (req: any, res: any, next: any) => {
39
      const apiKey = req.apiKey || "anonymous";
40
      if (!this.check(apiKey)) {
41
        res.status(429).json({ error: "Too many requests", retryAfterMs: this.windowMs });
42
        return;
43
      }
44
      next();
45
    };
46
  }
47
}

Why rate limiting matters:#

Scenario	Without Limit	With Limit
Malicious client	Unlimited calls → API costs spike	Blocked after 60/min
Buggy agent loop	`create_issue` forever	Blocked, developer debugs
Multiple clients	One hogs all resources	Each gets fair share

Step 3: CORS Configuration#

CORS controls which web origins can access your SSE endpoint. For Claude Desktop (not a browser) this isn’t needed. For a web UI, it’s required.

Create `src/cors.ts`#

1
// src/cors.ts — CORS middleware
2

3
export function corsMiddleware(allowedOrigins: string[] = ["*"]) {
4
  return (req: any, res: any, next: any) => {
5
    const origin = req.headers.origin;
6

7
    if (allowedOrigins.includes("*")) {
8
      res.setHeader("Access-Control-Allow-Origin", "*");
9
    } else if (origin && allowedOrigins.includes(origin)) {
10
      res.setHeader("Access-Control-Allow-Origin", origin);
11
    }
12

13
    if (req.method === "OPTIONS") {
14
      res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
15
      res.setHeader("Access-Control-Allow-Headers", "Content-Type, X-API-Key");
16
      res.setHeader("Access-Control-Max-Age", "86400");
17
      res.status(204).end();
18
      return;
19
    }
20

21
    next();
22
  };
23
}

Step 4: Environment Validation#

Fail fast is better than fail mysteriously. Validate all required config at startup.

Create `src/env.ts`#

1
// src/env.ts — Environment validation
2

3
export interface AppConfig {
4
  port: number;
5
  githubToken: string;
6
  authKeys: string[];
7
  rateLimitMax: number;
8
  rateLimitWindowMs: number;
9
  allowedOrigins: string[];
10
  nodeEnv: string;
11
}
12

13
export function loadConfig(): AppConfig {
14
  const errors: string[] = [];
15

16
  const githubToken = process.env.GITHUB_TOKEN;
17
  if (!githubToken) errors.push("GITHUB_TOKEN is required");
18

19
  const authKeysStr = process.env.AUTH_KEYS;
20
  if (!authKeysStr && process.env.NODE_ENV === "production") {
21
    errors.push("AUTH_KEYS is required in production mode");
22
  }
23

24
  const port = parseInt(process.env.PORT || "3001", 10);
25
  if (isNaN(port) || port <= 0 || port > 65535) {
26
    errors.push("PORT must be 1-65535");
27
  }
28

29
  if (errors.length > 0) {
30
    console.error("❌ Configuration errors:");
31
    errors.forEach((e) => console.error(`   - ${e}`));
32
    console.error("\nRequired: GITHUB_TOKEN");
33
    console.error("Production: AUTH_KEYS");
34
    console.error("Optional: PORT, RATE_LIMIT_MAX, RATE_LIMIT_WINDOW_MS, ALLOWED_ORIGINS, NODE_ENV");
35
    process.exit(1);
36
  }
37

38
  const authKeys = authKeysStr
39
    ? authKeysStr.split(",").map((k) => k.trim()).filter(Boolean)
40
    : [];
41

42
  console.error(`✅ Config validated | Port: ${port} | Auth: ${authKeys.length || "auto"} keys`);
43

44
  return {
45
    port,
46
    githubToken: githubToken!,
47
    authKeys,
48
    rateLimitMax: parseInt(process.env.RATE_LIMIT_MAX || "60", 10),
49
    rateLimitWindowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS || "60000", 10),
50
    allowedOrigins: process.env.ALLOWED_ORIGINS
51
      ? process.env.ALLOWED_ORIGINS.split(",").map((s) => s.trim())
52
      : ["*"],
53
    nodeEnv: process.env.NODE_ENV || "development",
54
  };
55
}

Step 5: Graceful Shutdown#

When your server restarts (or receives SIGTERM/SIGINT), you need to:

Stop accepting new connections
Wait for existing SSE streams to complete
Close the HTTP server
Exit cleanly

Update `src/sse-server.ts` with middleware support + shutdown:#

1
// src/sse-server.ts — Updated with middleware + graceful shutdown
2

3
import express from "express";
4
import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
5
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
6

7
export interface SSEServerInstance {
8
  server: import("http").Server;
9
  shutdown: () => Promise<void>;
10
  getActiveConnections: () => number;
11
}
12

13
export function createSSEServer(
14
  mcpServer: McpServer,
15
  port: number = 3001,
16
  configureMiddleware?: (app: express.Application) => void
17
): SSEServerInstance {
18
  const app = express();
19

20
  // Apply middleware first (auth, cors, rate limit, etc.)
21
  if (configureMiddleware) configureMiddleware(app);
22

23
  const transports: Map<string, SSEServerTransport> = new Map();
24

25
  app.get("/sse", async (req, res) => {
26
    const transport = new SSEServerTransport("/messages", res);
27
    transports.set(transport.sessionId, transport);
28

29
    res.on("close", () => {
30
      transports.delete(transport.sessionId);
31
      console.error(`[SSE] Session closed: ${transport.sessionId}`);
32
    });
33

34
    try {
35
      await mcpServer.connect(transport);
36
    } catch (error) {
37
      console.error(`[SSE] Connect error: ${error}`);
38
      res.status(500).end();
39
    }
40
  });
41

42
  app.post("/messages", express.json(), async (req, res) => {
43
    const sessionId = req.query.sessionId as string;
44
    const transport = transports.get(sessionId);
45
    if (!transport) {
46
      res.status(404).json({ error: "Session not found" });
47
      return;
48
    }
49
    await transport.handlePostMessage(req, res);
50
  });
51

52
  app.get("/health", (req, res) => {
53
    res.json({
54
      status: "ok",
55
      uptime: process.uptime(),
56
      activeConnections: transports.size,
57
    });
58
  });
59

60
  const httpServer = app.listen(port, () => {
61
    console.error(`✅ MCP SSE server on port ${port}`);
62
  });
63

64
  async function shutdown(): Promise<void> {
65
    console.error("Shutting down...");
66
    transports.clear();
67
    return new Promise((resolve) => {
68
      httpServer.close(() => {
69
        console.error("HTTP server closed");
70
        resolve();
71
      });
72
    });
73
  }
74

75
  return { server: httpServer, shutdown, getActiveConnections: () => transports.size };
76
}

The key change: configureMiddleware callback lets the entry point wire up auth, CORS, and rate limiting without the SSE module knowing about them.

Step 6: The Complete Production Entry Point#

Now src/server.ts — the hardened entry point with all middleware wired up:

1
// src/server.ts — Production hardened entry point
2
// Auth + Rate limiting + CORS + Env validation + Graceful shutdown
3

4
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
5
import { ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js";
6
import { z } from "zod";
7
import express from "express";
8
import { GitHubClient } from "./github-client.js";
9
import { createSSEServer } from "./sse-server.js";
10
import { AuthService } from "./auth.js";
11
import { RateLimiter } from "./rate-limit.js";
12
import { corsMiddleware } from "./cors.js";
13
import { loadConfig } from "./env.js";
14

15
// Validate environment FIRST (fail fast)
16
const config = loadConfig();
17

18
// Initialize services
19
const github = new GitHubClient(config.githubToken);
20
const auth = new AuthService();
21
const rateLimiter = new RateLimiter(config.rateLimitMax, config.rateLimitWindowMs);
22
const GITHUB_API_BASE = "https://api.github.com";
23

24
const server = new McpServer({
25
  name: "github-issue-manager",
26
  version: "1.0.2",
27
});
28

29
// ──── Helpers ────
30
function parseLinkHeader(link: string | null): Record<string, string> {
31
  if (!link) return {};
32
  const result: Record<string, string> = {};
33
  for (const part of link.split(", ")) {
34
    const match = part.match(/<([^>]+)>;\s*rel="([^"]+)"/);
35
    if (match) result[match[2]] = match[1];
36
  }
37
  return result;
38
}
39

40
async function githubFetch(url: string) {
41
  return fetch(url, {
42
    headers: {
43
      Authorization: `Bearer ${config.githubToken}`,
44
      Accept: "application/vnd.github+json",
45
      "User-Agent": "github-issue-mcp-server/1.0",
46
    },
47
  });
48
}
49

50
// ──── Wire middleware ────
51
const instance = createSSEServer(server, config.port, (app) => {
52
  app.use(corsMiddleware(config.allowedOrigins));
53
  app.use(express.json());
54

55
  // Auth + rate limit on every request except /health
56
  app.use((req, res, next) => {
57
    if (req.path === "/health") return next();
58
    auth.middleware()(req, res, next);
59
  });
60
  app.use((req, res, next) => {
61
    if (req.path === "/health") return next();
62
    rateLimiter.middleware()(req, res, next);
63
  });
64

65
  // Clean stale rate limit buckets every 5 min
66
  setInterval(() => rateLimiter.cleanup(), 5 * 60 * 1000);
67
});
68

69
// ──── TOOLS (7) ────
70
server.tool("list_issues", "List issues", {
71
  owner: z.string(), repo: z.string(),
72
  state: z.enum(["open","closed","all"]).default("open"),
73
  limit: z.number().min(1).max(100).default(20),
74
}, async ({ owner, repo, state, limit }) => {
75
  try {
76
    const issues = await github.listIssues(owner, repo, state, limit);
77
    if (!issues.length) return { content: [{ type: "text", text: `No ${state} issues.` }] };
78
    const formatted = issues.map((i: any) =>
79
      `#${i.number}: ${i.title}\n  ${i.state} | ${i.created_at.slice(0,10)}\n  ${i.html_url}`
80
    ).join("\n\n");
81
    return { content: [{ type: "text", text: `## Issues in ${owner}/${repo} (${state})\n\n${formatted}` }] };
82
  } catch (e) { return { content: [{ type: "text", text: `Error: ${e}` }], isError: true }; }
83
});
84

85
server.tool("get_issue", "Get issue details", {
86
  owner: z.string(), repo: z.string(), issue_number: z.number().int().positive(),
87
}, async ({ owner, repo, issue_number }) => {
88
  try {
89
    const issue = await github.getIssue(owner, repo, issue_number);
90
    return { content: [{ type: "text", text:
91
      `# ${issue.title}\n**#${issue.number}** | **State:** ${issue.state}\n**URL:** ${issue.html_url}\n---\n${issue.body || "*No description*"}` }] };
92
  } catch (e) { return { content: [{ type: "text", text: `Error: ${e}` }], isError: true }; }
93
});
94

95
server.tool("create_issue", "Create issue", {
96
  owner: z.string(), repo: z.string(),
97
  title: z.string().min(1).max(256),
98
  body: z.string().optional(), labels: z.array(z.string()).optional(),
99
  assignees: z.array(z.string()).optional(),
100
}, async ({ owner, repo, title, body, labels, assignees }) => {
101
  try {
102
    const issue = await github.createIssue(owner, repo, { title, body, labels, assignees });
103
    return { content: [{ type: "text", text: `✅ Created #${issue.number}: ${issue.title}\n${issue.html_url}` }] };
104
  } catch (e) { return { content: [{ type: "text", text: `Error: ${e}` }], isError: true }; }
105
});
106

107
server.tool("update_issue", "Update issue", {
108
  owner: z.string(), repo: z.string(), issue_number: z.number().int().positive(),
109
  title: z.string().max(256).optional(), body: z.string().optional(),
110
  state: z.enum(["open","closed"]).optional(),
111
  labels: z.array(z.string()).optional(), assignees: z.array(z.string()).optional(),
112
}, async ({ owner, repo, issue_number, ...changes }) => {
113
  try {
114
    const issue = await github.updateIssue(owner, repo, issue_number, changes);
115
    return { content: [{ type: "text", text: `✅ Updated #${issue_number}\nState: ${issue.state}\n${issue.html_url}` }] };
116
  } catch (e) { return { content: [{ type: "text", text: `Error: ${e}` }], isError: true }; }
117
});
118

119
server.tool("search_issues", "Search issues", {
120
  query: z.string().min(1), limit: z.number().min(1).max(50).default(10),
121
}, async ({ query, limit }) => {
122
  try {
123
    const result = await github.searchIssues(query, limit);
124
    if (!result.issues.length) return { content: [{ type: "text", text: `No results for: "${query}"` }] };
125
    const formatted = result.issues.map((i: any) =>
126
      `#${i.number}: ${i.title}\n  ${i.state} | ${i.html_url}`
127
    ).join("\n\n");
128
    return { content: [{ type: "text", text: `## Results (${result.total_count} total)\n\n${formatted}` }] };
129
  } catch (e) { return { content: [{ type: "text", text: `Error: ${e}` }], isError: true }; }
130
});
131

132
server.tool("list_issues_paginated", "Paginated listing", {
133
  owner: z.string(), repo: z.string(),
134
  state: z.enum(["open","closed","all"]).default("open"),
135
  page: z.number().int().min(1).default(1),
136
  per_page: z.number().int().min(1).max(100).default(30),
137
  sort: z.enum(["created","updated","comments"]).default("updated"),
138
  direction: z.enum(["asc","desc"]).default("desc"),
139
}, async ({ owner, repo, state, page, per_page, sort, direction }) => {
140
  try {
141
    const url = `${GITHUB_API_BASE}/repos/${owner}/${repo}/issues?${
142
      new URLSearchParams({ state, page: String(page), per_page: String(per_page), sort, direction })}`;
143
    const res = await githubFetch(url);
144
    const issues: any[] = await res.json() as any[];
145
    const pagination = parseLinkHeader(res.headers.get("link"));
146
    if (!issues.length) return { content: [{ type: "text", text: `No issues page ${page}.` }] };
147
    const formatted = issues.map((i: any) =>
148
      `#${i.number}: ${i.title}\n  ${i.state} | 💬 ${i.comments}\n  ${i.html_url}`
149
    ).join("\n\n");
150
    let header = `## Issues (page ${page})`;
151
    if (pagination.last) header += ` — Page ${page}/${parseInt(new URL(pagination.last).searchParams.get("page") || "1")}`;
152
    return { content: [{ type: "text", text: `${header}\n\n${formatted}` }] };
153
  } catch (e) { return { content: [{ type: "text", text: `Error: ${e}` }], isError: true }; }
154
});
155

156
server.tool("batch_label_issues", "Batch label issues", {
157
  owner: z.string(), repo: z.string(),
158
  issue_numbers: z.array(z.number().int().positive()).min(1).max(25),
159
  labels: z.array(z.string()).min(1).max(10),
160
}, async ({ owner, repo, issue_numbers, labels }) => {
161
  const results: { n: number; ok: boolean; err?: string }[] = [];
162
  for (const n of issue_numbers) {
163
    try { await github.updateIssue(owner, repo, n, { labels }); results.push({ n, ok: true }); }
164
    catch (e) { results.push({ n, ok: false, err: String(e) }); }
165
  }
166
  const s = results.filter(r => r.ok).length;
167
  return { content: [{ type: "text",
168
    text: `## Labels: ${labels.join(", ")}\n✅ ${s}/${issue_numbers.length}${
169
      results.some(r => !r.ok) ? `\n❌ Failed:\n${results.filter(r => !r.ok).map(r => `- #${r.n}: ${r.err}`).join("\n")}` : ""
170
    }` }] };
171
});
172

173
// ──── RESOURCES (3) ────
174
server.resource("issue-detail",
175
  new ResourceTemplate("issue://{owner}/{repo}/{number}", { list: undefined }),
176
  async (uri, { owner, repo, number }) => {
177
    const issue = await github.getIssue(owner as string, repo as string, parseInt(number as string));
178
    return { contents: [{ uri: uri.href, mimeType: "text/markdown",
179
      text: `# ${issue.title}\n**Status:** ${issue.state === "open" ? "🟢" : "🔴"}\n**URL:** ${issue.html_url}\n---\n${issue.body || "*No description*"}` }] };
180
  });
181

182
server.resource("issue-comments",
183
  new ResourceTemplate("issue://{owner}/{repo}/{number}/comments", { list: undefined }),
184
  async (uri, { owner, repo, number }) => {
185
    const url = `${GITHUB_API_BASE}/repos/${owner}/${repo}/issues/${number}/comments`;
186
    const res = await githubFetch(url);
187
    const comments: any[] = await res.json() as any[];
188
    if (!comments.length) return { contents: [{ uri: uri.href, mimeType: "text/markdown", text: "*No comments*" }] };
189
    return { contents: [{ uri: uri.href, mimeType: "text/markdown",
190
      text: `# Comments\n\n${comments.map((c: any) => `---\n**@${c.user.login}** on ${new Date(c.created_at).toLocaleDateString()}\n\n${c.body || "*No text*"}`).join("\n\n")}` }] };
191
  });
192

193
server.resource("open-issues",
194
  new ResourceTemplate("issue://{owner}/{repo}/open", { list: undefined }),
195
  async (uri, { owner, repo }) => {
196
    const issues = await github.listIssues(owner as string, repo as string, "open");
197
    if (!issues.length) return { contents: [{ uri: uri.href, mimeType: "text/markdown", text: "✨ No open issues!" }] };
198
    return { contents: [{ uri: uri.href, mimeType: "text/markdown",
199
      text: `# Open Issues (${issues.length})\n\n${issues.map((i: any) => `- [#${i.number}](${i.html_url}): ${i.title}`).join("\n")}` }] };
200
  });
201

202
// ──── PROMPTS (3) ────
203
server.prompt("triage-issue", "Triage issue", {
204
  owner: z.string(), repo: z.string(), issue_number: z.number(),
205
}, ({ owner, repo, issue_number }) => ({
206
  messages: [{ role: "user", content: { type: "text",
207
    text: `Triage #${issue_number} in ${owner}/${repo}.\n1. Severity\n2. Labels\n3. Priority\n4. Assignee\n5. Next steps` } }],
208
}));
209

210
server.prompt("weekly-summary", "Weekly summary", {
211
  owner: z.string(), repo: z.string(),
212
}, ({ owner, repo }) => ({
213
  messages: [{ role: "user", content: { type: "text",
214
    text: `Weekly summary for ${owner}/${repo}.\nGroup: New | Updated | Stale (30d+).` } }],
215
}));
216

217
server.prompt("bug-report-template", "Bug report template", {}, () => ({
218
  messages: [{ role: "user", content: { type: "text",
219
    text: `Template:\n## Bug Report\n### Describe\n### To Reproduce\n### Expected\n### Environment` } }],
220
}));
221

222
// ──── Graceful shutdown ────
223
process.on("SIGTERM", async () => { await instance.shutdown(); process.exit(0); });
224
process.on("SIGINT", async () => { await instance.shutdown(); process.exit(0); });
225

226
console.error("\n🚀 github-issue-manager v1.0.2 — production hardened");
227
console.error("   Auth: X-API-Key | Health: /health (no auth)");

Step 7: Update package.json#

Bump version:

1
{
2
  "name": "github-issue-mcp",
3
  "version": "1.0.2",
4
  "scripts": {
5
    "build": "tsc",
6
    "start": "node build/server.js",
7
    "inspect": "npx @modelcontextprotocol/inspector"
8
  }
9
}

Step 8: Full Test#

Build and run:#

1
npm run build
2

3
export GITHUB_TOKEN="ghp_your_token_here"
4
export AUTH_KEYS="sk-mcp-1,sk-mcp-2"
5
export NODE_ENV=production
6

7
node build/server.js

Expected output:

1
✅ Config validated | Port: 3001 | Auth: 2 keys
2
🔑 Auth configured: 2 API key(s)
3
⏱️ Rate limit: 60 req / 60s
4
✅ MCP SSE server on port 3001
5
🚀 github-issue-manager v1.0.2 — production hardened

Test auth:#

1
# No key → 401
2
curl http://localhost:3001/sse
3
# {"error":"Missing X-API-Key header"}
4

5
# Wrong key → 403
6
curl -H "X-API-Key: wrong" http://localhost:3001/sse
7
# {"error":"Invalid API key"}
8

9
# Correct key → SSE opens
10
curl -H "X-API-Key: sk-mcp-1" http://localhost:3001/sse
11
# event: endpoint

Test rate limit:#

1
for i in $(seq 1 70); do
2
  curl -s -o /dev/null -w "%{http_code}\n" \
3
    -H "X-API-Key: sk-mcp-1" \
4
    -X POST "http://localhost:3001/messages?sessionId=test" \
5
    -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
6
done
7
# First 60 → 200 / After 60 → 429

Test health (no auth):#

1
curl http://localhost:3001/health
2
# {"status":"ok","uptime":12,"activeConnections":0}

Step 9: Docker with Auth#

Update Docker Compose:

1
services:
2
  mcp-server:
3
    build: .
4
    container_name: github-issue-mcp
5
    ports:
6
      - "127.0.0.1:3001:3001"
7
    environment:
8
      - GITHUB_TOKEN=${GITHUB_TOKEN}
9
      - AUTH_KEYS=${AUTH_KEYS}
10
      - NODE_ENV=production
11
      - RATE_LIMIT_MAX=60
12
      - RATE_LIMIT_WINDOW_MS=60000
13
    healthcheck:
14
      test: ["CMD", "wget", "--spider", "http://localhost:3001/health"]
15
      interval: 30s
16
      retries: 3
17
    restart: unless-stopped
18
    read_only: true

Run:

1
export GITHUB_TOKEN="ghp_..."
2
export AUTH_KEYS="sk-mcp-prod-1,sk-mcp-prod-2"
3
docker compose up -d

Step 10: Claude Desktop Config#

1
{
2
  "mcpServers": {
3
    "github-issue-manager": {
4
      "type": "sse",
5
      "url": "https://mcp.example.com/sse",
6
      "headers": {
7
        "X-API-Key": "sk-mcp-prod-1"
8
      }
9
    }
10
  }
11
}

The headers field lets you pass the API key with every request. Restart Claude Desktop — it should connect to your production-hardened server.

What You Learned#

Concept	Implementation
API key auth	`AuthService` → Express middleware → 401/403
Rate limiting	Sliding window → per-key buckets → 429
CORS	Control origins → handle preflight OPTIONS
Env validation	`loadConfig()` → fail fast on startup
Graceful shutdown	SIGTERM/SIGINT → close transports → close HTTP
Middleware chain	CORS → Body parser → Auth → Rate limit → SSE

Day	Topic	Status
1	Setup & Architecture	✅
2	Resources, Prompts & Advanced Tools	✅
3	SSE Transport & Docker	✅
4	Auth & Production Hardening	✅ Done
5	Testing, Publishing & Ecosystem	Final