Merge pull request #517 from kentcdodds/patch-1

cliffhall · web-flow · commit 5028496d6b5c · 2025-07-11T17:05:25.000-04:00
make auth token configurable via env var
diff --git a/README.md b/README.md
@@ -166,6 +166,12 @@ If you need to disable authentication (NOT RECOMMENDED), you can set the `DANGER
 DANGEROUSLY_OMIT_AUTH=true npm start
 ```
 
+You can also set the token via the `MCP_PROXY_AUTH_TOKEN` environment variable when starting the server:
+
+```bash
+MCP_PROXY_AUTH_TOKEN=$(openssl rand -hex 32) npm start
+```
+
 #### Local-only Binding
 
 By default, both the MCP Inspector proxy server and client bind only to `localhost` to prevent network access. This ensures they are not accessible from other devices on the network. If you need to bind to all interfaces for development purposes, you can override this with the `HOST` environment variable:
diff --git a/client/bin/start.js b/client/bin/start.js
@@ -40,7 +40,7 @@ async function startDevServer(serverOptions) {
       ...process.env,
       SERVER_PORT,
       CLIENT_PORT,
-      MCP_PROXY_TOKEN: sessionToken,
+      MCP_PROXY_AUTH_TOKEN: sessionToken,
       MCP_ENV_VARS: JSON.stringify(envVars),
     },
     signal: abort.signal,
@@ -99,7 +99,7 @@ async function startProdServer(serverOptions) {
         ...process.env,
         SERVER_PORT,
         CLIENT_PORT,
-        MCP_PROXY_TOKEN: sessionToken,
+        MCP_PROXY_AUTH_TOKEN: sessionToken,
         MCP_ENV_VARS: JSON.stringify(envVars),
       },
       signal: abort.signal,
@@ -247,8 +247,9 @@ async function main() {
       : "Starting MCP inspector...",
   );
 
-  // Generate session token for authentication
-  const sessionToken = randomBytes(32).toString("hex");
+  // Use provided token from environment or generate a new one
+  const sessionToken =
+    process.env.MCP_PROXY_AUTH_TOKEN || randomBytes(32).toString("hex");
   const authDisabled = !!process.env.DANGEROUSLY_OMIT_AUTH;
 
   const abort = new AbortController();
diff --git a/server/src/index.ts b/server/src/index.ts
@@ -92,7 +92,7 @@ const serverTransports: Map<string, Transport> = new Map<string, Transport>(); /
 
 // Use provided token from environment or generate a new one
 const sessionToken =
-  process.env.MCP_PROXY_TOKEN || randomBytes(32).toString("hex");
+  process.env.MCP_PROXY_AUTH_TOKEN || randomBytes(32).toString("hex");
 const authDisabled = !!process.env.DANGEROUSLY_OMIT_AUTH;
 
 // Origin validation middleware to prevent DNS rebinding attacks
