Published on

Starter Kit for Secure MCP Servers

Authors
  • avatar
    Name
    Parminder Singh
    Twitter

GitHub repo: https://github.com/parmindersk/mcp-starter

If you are exposing AI-enabled capabilities in your product and supporting external integrations, there is a good chance you will implement an MCP (Model Context Protocol) server to handle tool calls from LLMs. When you do, you will need to manage authentication, input validation, multi-tenant isolation, and more. Instead of starting from scratch, I've put together a starter-kit that gives you all this out of the box:

  • JWT-based tenant authentication
  • JSON Schema-based input validation
  • Per-function metadata, so you just drop in your logic
  • Cloud-native & container-ready with Docker
  • Standard endpoints as per the MCP spec

I've open sourced the entire project, so you can clone it and start building your own MCP server in minutes. Check it out here: mcp-starter.

Once you have the repo cloned, you can run it locally either with docker or directly with Node. To add your own functions, just drop them into the functions directory. Example functions are already provided to get you started.

Here's one of the example functions included in the starter kit:

async function submitFeedback({ tenantId, message, rating }) {
  // your business logic goes here...
  return {
    status: 'received',
    tenantId,
    message,
    rating,
    receivedAt: new Date().toISOString(),
  }
}

// meta information for MCP. You can define the schema of the input parameters
submitFeedback.meta = {
  description: 'Submits feedback',
  schema: {
    type: 'object',
    properties: {
      message: { type: 'string', minLength: 5 },
      rating: { type: 'number', minimum: 1, maximum: 5 },
    },
    required: ['message', 'rating'],
    additionalProperties: false,
  },
}

module.exports = submitFeedback

This function shows how easily you can define MCP-compatible functions. By attaching a meta property with a JSON Schema, you get automatic input validation handled by the server — no extra boilerplate needed. Validation is powered by AJV, a fast and standards-compliant JSON Schema validator.

You can run the server locally using either Docker or Node.js.

With Docker

docker-compose up --build

With Node.js

pnpm install
pnpm start

Generating a Test Token

node tools/generateToken.js --tenant=acme --secret=supersecure

The --secret value (supersecure) must match the JWT_SECRET defined in your .env or docker-compose.yml.

Testing submitFeedback

curl -X POST http://localhost:3000/mcp \
  -H "Authorization: Bearer YOUR_JWT_HERE" \
  -H "Content-Type: application/json" \
  -d '{
    "method": "submitFeedback",
    "params": {
      "message": "Love the product!",
      "rating": 5
    }
  }'

You can play around with the body to remove message or give an invalid value for rating to see how validation is working.

Have you implemented an MCP server? What challenges did you face? Are you using JWT or OAuth for authentication?