feat: add HTTP server support with OAuth token authentication and health check endpoint

Author: nickytonline

AGENTS.md

@@ -4,7 +4,7 @@
 The primary entrypoint lives in `cmd/github-mcp-server/main.go`; `generate_docs.go` updates documentation and `cmd/mcpcurl` offers a lightweight client. Shared logic lives under `pkg/` (tool handlers, toolsets, translations) while internal-only helpers stay in `internal/` for server wiring and schema snapshots. `e2e/` holds black-box tests, `docs/` tracks installation and policy guides, and `script/` automates linting, docs, and release chores.
 
 ## Build, Test, and Development Commands
-`go build ./cmd/github-mcp-server` produces the local server binary. `go test -v ./...` runs unit and snapshot suites; use `script/test` when you need the race detector. `script/lint` wraps the required `golangci-lint run` configuration. Regenerate published docs with `script/generate-docs`, and probe tools by piping JSON-RPC into `go run ./cmd/github-mcp-server main.go stdio` as shown in `script/get-me`.
+`go build ./cmd/github-mcp-server` produces the local server binary. `go test -v ./...` runs unit and snapshot suites; use `script/test` when you need the race detector. `script/lint` wraps the required `golangci-lint run` configuration. Regenerate published docs with `script/generate-docs`, and probe tools by piping JSON-RPC into `go run ./cmd/github-mcp-server main.go stdio` as shown in `script/get-me`. Launch the HTTP transport with `github-mcp-server http --listen :8080` and authenticate requests with an `Authorization: Bearer <token>` header if you are fronting the server with OAuth-aware infrastructure like Pomerium.
 
 ## Coding Style & Naming Conventions
 Format Go code with `gofmt` (tabs for indentation) and keep imports tidy via `goimports` or the editor equivalent. Follow the active `golangci-lint` ruleset (bodyclose, gosec, revive, etc.) and prefer explicit error handling. Tool identifiers exposed through MCP stay snake_case (e.g., `list_discussions`), while exported Go symbols remain PascalCase.

README.md

@@ -265,6 +265,33 @@ If you don't have Docker, you can use `go build` to build the binary in the
 }
 ```
 
+### Run as an HTTP server
+
+The same binary can expose the MCP server over HTTP using the streamable transport. This mode is designed for deployments behind zero-trust proxies (for example, Pomerium) that exchange OAuth tokens with GitHub on a per-request basis.
+
+```bash
+github-mcp-server http \
+  --listen :8080 \
+  --http-path /mcp \
+  --health-path /health
+```
+
+- The `/health` endpoint is public and returns `200 OK` to signal readiness.
+- The MCP endpoint (default `/mcp`) requires every request to include an `Authorization: Bearer <token>` header carrying a GitHub OAuth access token. Tokens are not cached between requests.
+- Customize listening address, path, and graceful shutdown timeout via `--listen`, `--http-path`, `--health-path`, and `--shutdown-timeout`.
+
+For example, when testing locally with an OAuth token stored in `$GITHUB_OAUTH_TOKEN`:
+
+```bash
+curl -X POST \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer $GITHUB_OAUTH_TOKEN" \
+  --data '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{}}}' \
+  http://localhost:8080/mcp
+```
+
+See [docs/pomerium-http-example.md](docs/pomerium-http-example.md) for a reference configuration that forwards GitHub OAuth tokens from Pomerium to the server.
+
 ## Tool Configuration
 
 The GitHub MCP Server supports enabling or disabling specific groups of functionalities via the `--toolsets` flag. This allows you to control which GitHub API capabilities are available to your AI tools. Enabling only the toolsets that you need can help the LLM with tool choice and reduce the context size.

cmd/github-mcp-server/main.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/github/github-mcp-server/internal/ghmcp"
 	"github.com/github/github-mcp-server/pkg/github"
@@ -60,6 +61,33 @@ var (
 			return ghmcp.RunStdioServer(stdioServerConfig)
 		},
 	}
+
+	httpCmd = &cobra.Command{
+		Use:   "http",
+		Short: "Start HTTP server",
+		Long:  `Start a server that communicates over HTTP using the streamable transport.`,
+		RunE: func(_ *cobra.Command, _ []string) error {
+			var enabledToolsets []string
+			if err := viper.UnmarshalKey("toolsets", &enabledToolsets); err != nil {
+				return fmt.Errorf("failed to unmarshal toolsets: %w", err)
+			}
+
+			httpServerConfig := ghmcp.HTTPServerConfig{
+				Version:           version,
+				Host:              viper.GetString("host"),
+				EnabledToolsets:   enabledToolsets,
+				DynamicToolsets:   viper.GetBool("dynamic_toolsets"),
+				ReadOnly:          viper.GetBool("read-only"),
+				ContentWindowSize: viper.GetInt("content-window-size"),
+				ListenAddress:     viper.GetString("listen-address"),
+				EndpointPath:      viper.GetString("http-path"),
+				HealthPath:        viper.GetString("health-path"),
+				ShutdownTimeout:   viper.GetDuration("shutdown-timeout"),
+				LogFilePath:       viper.GetString("log-file"),
+			}
+			return ghmcp.RunHTTPServer(httpServerConfig)
+		},
+	}
 )
 
 func init() {
@@ -88,8 +116,19 @@ func init() {
 	_ = viper.BindPFlag("host", rootCmd.PersistentFlags().Lookup("gh-host"))
 	_ = viper.BindPFlag("content-window-size", rootCmd.PersistentFlags().Lookup("content-window-size"))
 
+	httpCmd.Flags().String("listen", ":8080", "Address for the HTTP server to listen on")
+	httpCmd.Flags().String("http-path", "/mcp", "HTTP path for MCP requests")
+	httpCmd.Flags().String("health-path", "/health", "HTTP path for health checks")
+	httpCmd.Flags().Duration("shutdown-timeout", 10*time.Second, "Graceful shutdown timeout for the HTTP server")
+
+	_ = viper.BindPFlag("listen-address", httpCmd.Flags().Lookup("listen"))
+	_ = viper.BindPFlag("http-path", httpCmd.Flags().Lookup("http-path"))
+	_ = viper.BindPFlag("health-path", httpCmd.Flags().Lookup("health-path"))
+	_ = viper.BindPFlag("shutdown-timeout", httpCmd.Flags().Lookup("shutdown-timeout"))
+
 	// Add subcommands
 	rootCmd.AddCommand(stdioCmd)
+	rootCmd.AddCommand(httpCmd)
 }
 
 func initConfig() {

docs/pomerium-http-example.md

@@ -0,0 +1,44 @@
+# Deploying GitHub MCP Server behind Pomerium
+
+This example demonstrates how to run the GitHub MCP Server in HTTP mode behind [Pomerium](https://www.pomerium.com/), forwarding GitHub OAuth tokens to the server on each request.
+
+1. Start the server in HTTP mode:
+
+```bash
+github-mcp-server http \
+  --listen :8080 \
+  --http-path /mcp \
+  --health-path /health
+```
+
+2. Configure Pomerium to authenticate users with GitHub and pass the resulting access token to the upstream via the `Authorization` header. A simplified route looks like:
+
+```yaml
+routes:
+  - from: https://mcp.example.com
+    to: http://github-mcp-server:8080
+    preserve_host_header: true
+
+    enable_google_cloud_serverless_authentication: false
+    pass_identity_headers: true
+
+    # Forward OAuth tokens from GitHub to the MCP server
+    set_request_headers:
+      Authorization: "Bearer {{ .Pomerium.JWT.OAuth.AccessToken }}"
+
+    upstream_oauth2:
+      client_id: ${GITHUB_OAUTH_CLIENT_ID}
+      client_secret: ${GITHUB_OAUTH_CLIENT_SECRET}
+      scopes:
+        - read:user
+        - user:email
+        - repo
+        - read:org
+      endpoint:
+        auth_url: https://github.com/login/oauth/authorize
+        token_url: https://github.com/login/oauth/access_token
+```
+
+3. Point your MCP host at `https://mcp.example.com/mcp` and omit the static `GITHUB_PERSONAL_ACCESS_TOKEN`. Each request will be authenticated with the user’s GitHub OAuth token issued by Pomerium.
+
+Refer to [Pomerium's MCP documentation](https://www.pomerium.com/docs/capabilities/mcp) for deployment details and advanced routing options.

internal/ghmcp/http_server.go

@@ -0,0 +1,213 @@
+package ghmcp
+
+import (
+	"context"
+	stdErrors "errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+	"time"
+
+	pkgErrors "github.com/github/github-mcp-server/pkg/errors"
+	"github.com/github/github-mcp-server/pkg/translations"
+	"github.com/mark3labs/mcp-go/server"
+)
+
+// HTTPServerConfig captures configuration for the HTTP transport.
+type HTTPServerConfig struct {
+	Version           string
+	Host              string
+	EnabledToolsets   []string
+	DynamicToolsets   bool
+	ReadOnly          bool
+	ContentWindowSize int
+	ListenAddress     string
+	EndpointPath      string
+	HealthPath        string
+	ShutdownTimeout   time.Duration
+	LogFilePath       string
+}
+
+const (
+	defaultHTTPListenAddress = ":8080"
+	defaultHTTPEndpoint      = "/mcp"
+	defaultHTTPHealthPath    = "/health"
+	defaultShutdownTimeout   = 10 * time.Second
+)
+
+// RunHTTPServer starts an MCP server over the Streamable HTTP transport.
+func RunHTTPServer(cfg HTTPServerConfig) error {
+	listenAddress := cfg.ListenAddress
+	if strings.TrimSpace(listenAddress) == "" {
+		listenAddress = defaultHTTPListenAddress
+	}
+
+	endpointPath := normalizePath(cfg.EndpointPath, defaultHTTPEndpoint)
+	healthPath := normalizePath(cfg.HealthPath, defaultHTTPHealthPath)
+
+	shutdownTimeout := cfg.ShutdownTimeout
+	if shutdownTimeout <= 0 {
+		shutdownTimeout = defaultShutdownTimeout
+	}
+
+	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	defer stop()
+
+	translator, _ := translations.TranslationHelper()
+
+	ghServer, err := NewMCPServer(MCPServerConfig{
+		Version:           cfg.Version,
+		Host:              cfg.Host,
+		EnabledToolsets:   cfg.EnabledToolsets,
+		DynamicToolsets:   cfg.DynamicToolsets,
+		ReadOnly:          cfg.ReadOnly,
+		Translator:        translator,
+		ContentWindowSize: cfg.ContentWindowSize,
+		TokenProvider:     TokenFromContext,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to create MCP server: %w", err)
+	}
+
+	var logOutput io.Writer
+	var logFile *os.File
+	var slogHandler slog.Handler
+
+	if strings.TrimSpace(cfg.LogFilePath) != "" {
+		file, fileErr := os.OpenFile(cfg.LogFilePath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o600)
+		if fileErr != nil {
+			return fmt.Errorf("failed to open log file: %w", fileErr)
+		}
+		logOutput = file
+		logFile = file
+		slogHandler = slog.NewTextHandler(logOutput, &slog.HandlerOptions{Level: slog.LevelDebug})
+	} else {
+		logOutput = os.Stderr
+		slogHandler = slog.NewTextHandler(logOutput, &slog.HandlerOptions{Level: slog.LevelInfo})
+	}
+
+	logger := slog.New(slogHandler)
+	if logFile != nil {
+		defer func() { _ = logFile.Close() }()
+	}
+	httpServer := &http.Server{Addr: listenAddress}
+
+	streamServer := server.NewStreamableHTTPServer(
+		ghServer,
+		server.WithStreamableHTTPServer(httpServer),
+		server.WithHTTPContextFunc(func(ctx context.Context, r *http.Request) context.Context {
+			return pkgErrors.ContextWithGitHubErrors(ctx)
+		}),
+	)
+
+	mux := http.NewServeMux()
+	mux.HandleFunc(healthPath, healthHandler)
+
+	protectedHandler := tokenMiddleware(streamServer)
+	mux.Handle(endpointPath, protectedHandler)
+	if !strings.HasSuffix(endpointPath, "/") {
+		mux.Handle(endpointPath+"/", protectedHandler)
+	}
+
+	httpServer.Handler = mux
+
+	errCh := make(chan error, 1)
+	go func() {
+		logger.Info("starting HTTP server", "address", listenAddress, "endpoint", endpointPath, "health", healthPath, "dynamicToolsets", cfg.DynamicToolsets, "readOnly", cfg.ReadOnly)
+		if serveErr := httpServer.ListenAndServe(); serveErr != nil && !stdErrors.Is(serveErr, http.ErrServerClosed) {
+			errCh <- serveErr
+			return
+		}
+		errCh <- nil
+	}()
+
+	select {
+	case <-ctx.Done():
+		logger.Info("shutting down HTTP server", "reason", ctx.Err())
+	case serveErr := <-errCh:
+		if serveErr != nil {
+			logger.Error("error running HTTP server", "error", serveErr)
+			return fmt.Errorf("error running HTTP server: %w", serveErr)
+		}
+		logger.Info("HTTP server stopped")
+		return nil
+	}
+
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
+	defer cancel()
+
+	if shutdownErr := streamServer.Shutdown(shutdownCtx); shutdownErr != nil && !stdErrors.Is(shutdownErr, http.ErrServerClosed) && !stdErrors.Is(shutdownErr, context.Canceled) {
+		logger.Error("error during server shutdown", "error", shutdownErr)
+		return fmt.Errorf("failed to shutdown HTTP server: %w", shutdownErr)
+	}
+
+	if serveErr := <-errCh; serveErr != nil && !stdErrors.Is(serveErr, http.ErrServerClosed) {
+		logger.Error("error after server shutdown", "error", serveErr)
+		return fmt.Errorf("error shutting down HTTP server: %w", serveErr)
+	}
+
+	logger.Info("HTTP server shutdown complete")
+	return nil
+}
+
+func normalizePath(path string, fallback string) string {
+	trimmed := strings.TrimSpace(path)
+	if trimmed == "" {
+		return fallback
+	}
+	if !strings.HasPrefix(trimmed, "/") {
+		trimmed = "/" + trimmed
+	}
+	if len(trimmed) > 1 && strings.HasSuffix(trimmed, "/") {
+		trimmed = strings.TrimSuffix(trimmed, "/")
+	}
+	return trimmed
+}
+
+func healthHandler(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet && r.Method != http.MethodHead {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	w.WriteHeader(http.StatusOK)
+	if r.Method == http.MethodHead {
+		return
+	}
+	_, _ = w.Write([]byte("ok\n"))
+}
+
+func tokenMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		authHeader := strings.TrimSpace(r.Header.Get("Authorization"))
+		if authHeader == "" {
+			unauthorized(w, "missing Authorization header")
+			return
+		}
+
+		parts := strings.SplitN(authHeader, " ", 2)
+		if len(parts) != 2 || !strings.EqualFold(parts[0], "Bearer") {
+			unauthorized(w, "invalid Authorization header")
+			return
+		}
+
+		token := strings.TrimSpace(parts[1])
+		if token == "" {
+			unauthorized(w, "missing bearer token")
+			return
+		}
+
+		ctx := ContextWithToken(r.Context(), token)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+func unauthorized(w http.ResponseWriter, message string) {
+	w.Header().Set("WWW-Authenticate", "Bearer realm=\"github-mcp-server\"")
+	http.Error(w, message, http.StatusUnauthorized)
+}