MCP Servers
Host MCP servers with production-grade OAuth authentication. Tool permissions, multi-tenant isolation, discovery API, and standard HTTP transport.
On this page
The Model Context Protocol (MCP) lets AI clients like Claude Code and ChatGPT call external tools. SystemPrompt hosts MCP servers with production-grade OAuth authentication.
The Problem
Running MCP servers in production requires:
- Hosting: Server deployment, uptime, scaling
- Authentication: Who's allowed to call these tools?
- Authorization: What can each caller do?
- Discovery: How do clients find your servers?
Most MCP tutorials show localhost examples. Production is different.
Server Definition
Define MCP servers in services/mcp/:
# services/mcp/content-server.yaml
mcp_servers:
content:
binary: "content-mcp"
port: 5011
endpoint: "http://localhost:8080/api/v1/mcp/content/mcp"
enabled: true
description: "Content management tools"
oauth:
required: true
scopes: ["content:read", "content:write"]
Production HTTP Transport
MCP servers are hosted over HTTP with proper authentication:
// claude_desktop_config.json
{
"mcpServers": {
"content": {
"url": "https://yourdomain.com/api/v1/mcp/content/mcp",
"transport": "streamable-http"
}
}
}
No localhost. Real URLs. Real authentication.
Per-Tool Permissions
Control access at the tool level:
# services/mcp/database-server.yaml
name: database-server
oauth:
required: true
tools:
- name: query_data
description: "Run read-only queries"
scopes: ["db:read"]
- name: modify_data
description: "Insert, update, delete"
scopes: ["db:write"]
- name: admin_operations
description: "Schema changes, backups"
scopes: ["db:admin"]
Discovery API
Clients discover available servers:
# List MCP servers
curl https://yourdomain.com/api/v1/mcp/registry
# Get server details
curl https://yourdomain.com/api/v1/mcp/content-server
CLI Management
See systemprompt plugins mcp --help for all commands:
# List MCP servers
systemprompt plugins mcp list
# Test a tool
systemprompt plugins mcp call content-server search_content --query "AI"
# View server logs
systemprompt infra logs --service mcp-content-server
Multi-Tenant MCP
Different users get different access:
oauth:
required: true
scopes: ["tenant:{{tenant_id}}", "content:read"]
User A's Claude Code can only access User A's content. Automatic tenant isolation.
Security
Every MCP call is:
- Authenticated: Valid OAuth2 token required
- Authorized: Token scopes checked against tool requirements
- Audited: Full log of who called what, when
- Rate-limited: Abuse prevention built in
Compatible Clients
SystemPrompt uses standard HTTP transport:
- Claude Code
- Claude Desktop
- ChatGPT (with MCP support)
- Custom MCP clients
What You Skip
| Without SystemPrompt | With SystemPrompt |
|---|---|
| MCP server hosting | Managed |
| Authentication layer | OAuth2 built in |
| Per-tool authorization | Declarative YAML |
| HTTP transport setup | Automatic |
| Discovery endpoints | Built in |
Getting Started
- Create an MCP server:
# services/mcp/hello-server.yaml
mcp_servers:
hello:
binary: "hello-mcp"
port: 5012
description: "Example MCP server"
oauth:
required: true
scopes: ["hello:read"]
- List and test:
# List servers
systemprompt plugins mcp list
# Get connection URL
systemprompt plugins mcp show hello
- Configure your MCP client with the URL.
Next Steps
- Extensions — Build custom extensions
- Building MCP Servers — Create custom MCP servers
- Authentication — OAuth2 configuration
- CLI Reference — Full command reference
| Previous | Next |
|---|---|
| AI Providers | Extensions |