Skip to content
MCP Front Logo MCP Front Logo

MCP Front

MCP Front

Authentication gateway for MCP servers

Quickstart GitHub

Let your team use Claude with internal databases, APIs, and tools without exposing them to the internet.

The problem

Section titled “The problem”

You want your team to use Claude with internal MCP servers — databases, Linear, Notion, internal APIs. But MCP servers don’t have built-in multi-user authentication. You either expose them to the public internet, build authentication yourself, or run separate instances per user. None of these are great.

The solution

Section titled “The solution”

mcp-front sits between Claude and your MCP servers as an authentication gateway. Your team authenticates via OAuth once through Google, Azure AD, GitHub, or any OIDC provider. When Claude connects, mcp-front validates the token, checks the user belongs to your organization, and proxies to the actual MCP server in your secure environment.

For stdio servers, each user gets an isolated subprocess. For services that need individual API keys (Notion, Linear), users connect them once through a web UI and mcp-front injects tokens automatically.

Organization-wide access control with per-user isolation. No modifications to your MCP servers. Nothing exposed to the internet.

How it works

Section titled “How it works”
  1. User adds https://your-domain.com/<service>/sse to Claude
  2. Claude redirects to the identity provider for login (first time only)
  3. mcp-front validates the user belongs to your organization
  4. If the service needs a user API key (Notion, Linear), user connects it through a web page
  5. mcp-front proxies all MCP requests to the backend server, with tokens scoped to specific services via RFC 8707 — a token for your Postgres server won’t work for Linear

Try it

Section titled “Try it”

Save this as config.json:

{
  "version": "v0.0.1-DEV_EDITION_EXPECT_CHANGES",
  "proxy": {
    "baseURL": "http://localhost:8080",
    "addr": ":8080"
  },
  "mcpServers": {
    "filesystem": {
      "transportType": "stdio",
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"],
      "serviceAuths": [
        {
          "type": "bearer",
          "tokens": ["dev-token-123"]
        }
      ]
    }
  }
}
Terminal window
go install github.com/stainless-api/mcp-front/cmd/mcp-front@main
mcp-front -config config.json

See the Quickstart for a complete walkthrough.

Go deeper

Section titled “Go deeper”

Set up identity providers for production OAuth. Learn about the different server types mcp-front can proxy. Read the full configuration reference for all options including Firestore persistence, HTTPS, and per-user service authentication.

Written in Go. Single binary. No runtime dependencies.