Clarify the docs around open/closed source and public/private MCP servers

rdimitrov · rdimitrov · commit faf32f4b9749 · 2025-09-29T23:54:21.000+03:00
Signed-off-by: Radoslav Dimitrov &lt;radoslav@stacklok.com&gt;
diff --git a/docs/guides/publishing/publish-server.md b/docs/guides/publishing/publish-server.md
@@ -19,6 +19,7 @@ By the end of this tutorial, you'll have:
 ## Prerequisites
 
 - An MCP server you've already built ([follow this guide if you don't have one already](https://modelcontextprotocol.io/quickstart/server))
+- Your server must be publicly accessible (closed source servers are welcome, but private/internal servers are not supported)
 
 ## Deployment Options
 
diff --git a/docs/reference/faq.md b/docs/reference/faq.md
@@ -47,7 +47,13 @@ See the [publisher README](../../cmd/publisher/README.md)
 
 ### Is open source required?
 
-No. While open source code is encouraged, it is not required for either locally or remotely run servers.
+No. The registry supports both open source and closed source servers, as long as they are publicly accessible.
+
+**Closed source servers are welcome** - you can publish proprietary MCP servers to the registry as long as:
+- The server itself is publicly accessible (not restricted to private networks)
+- The installation method is publicly available (e.g., npm package, Docker image on public registries)
+
+This applies to both locally-run and remote servers.
 
 ### What package registries are supported?
 
@@ -98,6 +104,22 @@ These are generally not supported on the official MCP registry, which is designe
 
 If you want to publish private servers we recommend you host your own MCP subregistry, and add them there.
 
+### What's the difference between closed source and private servers?
+
+**Closed source servers** have proprietary code but are **publicly accessible**:
+- ✅ **Supported**: Can be published to the registry
+- ✅ Source code can be proprietary/closed source
+- ✅ Installation via public package registries (npm, PyPI, Docker Hub, etc.)
+- ✅ Remote servers hosted on public URLs
+
+**Private servers** are **access-restricted** regardless of source code:
+- ❌ **Not supported**: Cannot be published to the official registry
+- ❌ Only accessible to specific users/organizations
+- ❌ Installation requires private credentials or network access
+- ❌ Remote servers on private networks or behind authentication
+
+**Example**: A commercial MCP server distributed as a paid npm package is closed source but publicly accessible, so it's welcome in the registry. A server only available on your company's internal network is private and not supported.
+
 ## Security & Trust
 
 ### How do I know a server is from the claimed organization?
