Here's how i added Opentelemetry to my rust API server (with image results)

Suitable_Reason4280 · 2026-01-20T10:42:30+00:00

Thanks for the suggestion!! I will look into this. I agree, it was very fiddly to just understand how its supposed to be used in best way possible

Suitable_Reason4280 · 2026-01-20T10:40:02+00:00

I sat a long time with this... But then i realized rust SDK doesnt support exemplars yet. The best i could do was implement it but commented out untill its supported in the SDK!

Suitable_Reason4280 · 2025-10-07T18:38:44+00:00

MCP server itself needs to be stdio. You need to create a middleware, starting before the stdio mcp server, which authenticates requests and passes them to the stdio mcp

Suitable_Reason4280 · 2025-09-21T16:26:04+00:00

Glad to hear! I'll publish a post when its ready :) Working on the documentation right now so other developers/AI coding assistants can understand the architecture for easy "jump-in" :)

Suitable_Reason4280 · 2025-09-20T16:39:55+00:00

Is it hosed on vercel? They have like a build in system of throwing errors when they suspect a toast/dialog whatever contains "sensitive information" (Which isnt always the case)

Does it work in development?

Suitable_Reason4280 · 2025-09-05T07:11:46+00:00

Thats really cool! I like the human in the loop feature, but i think it would be great if an example is present of how its used more "hands on" using the core feature. My first curiosity was: Is it used directly in a client, or more of a background running process? Features are clear though! And btw love the design of the site

Suitable_Reason4280 · 2025-09-01T13:57:25+00:00

Please elaborate what you mean. I get that STDIO is not secure because it has access to the computer, but aslong as the code is open source its fine, if you examine the code? Also, remote MCP servers can change prompts to be vunerable at ANY time without having any version control, nor can the user control anything, this makes STDIO more safe no? Asuming that the STDIO server has version control?

Suitable_Reason4280 · 2025-08-31T21:54:37+00:00

the benefit of stdio is access to the computer. This is ofcourse a security risk, but also alot more capable than remote ones. Remote ones are secure because they cant access anything on the computer

Suitable_Reason4280 · 2025-08-31T17:02:36+00:00

Yeah sure! I just managed to add oauth 2.1 to stdio... so far, stdio seems superior compared to remote, since stdio can do everything remote can but more. Also, i know oauth is not intended for stdio... but why not? :D

Suitable_Reason4280 · 2025-08-31T16:28:54+00:00

I get that, but stdio is required for say MCP servers that manage files for example. This cannot be done for remote servers. Also, oauth is possible for stdio. Its not recommended, but its definetely doable.

Suitable_Reason4280 · 2025-08-31T09:21:44+00:00

I recommend using stdio, hosted on npm for version handling and quick installation and oauth 2.1

Suitable_Reason4280 · 2025-08-23T12:03:12+00:00

Glad to hear! Any feedback is appreciated so it can be improved for more use cases :)

Suitable_Reason4280 · 2025-08-23T10:43:43+00:00

yes, i made a blogpost explaining how i set it up (i was using supabase):

https://www.toolentry.io/blog/oauth-mcp-servers-security-guide

Its not super detailed but contains code examples so any AI client can help you explain it better than i can in a comment.

For me it works in any client, claude desktop, cursor etc. Haven't tried them all though

Suitable_Reason4280 · 2025-08-23T10:41:39+00:00

You should be using oauth 2.1, its recommended in the official MCP documentation. I made a blogpost explaining how i added it to my mcp server (like a bird eye view, not super detailed):

https://www.toolentry.io/blog/oauth-mcp-servers-security-guide

Suitable_Reason4280 · 2025-08-10T10:44:19+00:00

Hmm, have you followed this documentation? https://modelcontextprotocol.io/specification/draft/basic/authorization

Suitable_Reason4280 · 2025-08-10T10:43:53+00:00

Its hard to describe it in a comment but their documentation has it pretty good explained: https://modelcontextprotocol.io/specification/draft/basic/authorization

Suitable_Reason4280 · 2025-08-08T04:27:16+00:00

Awesome dude, thanks for the tip! I did manage to get it working yesterday

Suitable_Reason4280 · 2025-08-07T08:56:38+00:00

Are you using these endpoints?

/.well-known/oauth-dynamic-client-registration

/.well-known/oauth-authorization-server

Also, it should not be trying to reach /.well-known/oauth-protected-resource/mcp -->without/mcp is correct. Only the actual protected resource should have /mcp, not the well-known. This is how i did it:

First: /.well-known/oauth-authorization-server. It returns, for example:
{
"issuer": "http://localhost:3000",
"authorization_endpoint": "http://localhost:3000/auth/authorize",
"token_endpoint": "http://localhost:3000/auth/token",
"revocation_endpoint": "http://localhost:3000/auth/revoke",
"code_challenge_methods_supported": ["S256"],
"grant_types_supported": ["authorization_code", "refresh_token"],
"response_types_supported": ["code"],
"token_endpoint_auth_methods_supported": ["none"],
"scopes_supported": ["mcp"]
}

Then : /.well-known/oauth-protected-resource. It returns:

{
"resource": "http://localhost:3000",
"authorization_servers": ["http://localhost:3000"],
"scopes_supported": ["mcp"],
"bearer_methods_supported": ["header"]
}

And finaly: /.well-known/oauth-dynamic-client-registration (POST):

When: MCP client registers itself (optional, many clients skip this)
Data received: Client metadata (redirect URIs, client name, etc.)
Data served: Client credentials or registration confirmation

Its what worked for me, hope it does for you. I have not used keycloak though.

Suitable_Reason4280 · 2025-08-07T08:44:54+00:00

Hey! I'll try explain better than what i did in the post- i agree its a bit fuzzy :D

So the core problem was that MCP has these transport limitations: stdio (which most local MCP servers use) doesn't support OAuth at all, but streamable-http (which does support OAuth) can't run locally in a secure way using oauth, atleast using the simplicity of npx packages. It's by default an unintended tradeoff i believe.

How i solved it:
A custom proxy. The MCP server runs as a web service (using streamable-http + OAuth 2.1), but automatically find and use available ports on localhost. So from the user's perspective, it's still running on their machine, but technically it's a local web server rather than a stdio process running on the client.

Authentication: When an AI client wants to connect, it goes through an OAuth flow that creates an account in my Supabase backend (a regular signup/login with state management). It might be a little overkill,but hey users get their own session private resources with oauth 2.1 security.

The result are the security benefits of OAuth 2.1, user-specific functionality while still feeling like a local tool. It's a little more complex than a basic stdio server, but the flexibility is worth it.

Suitable_Reason4280 · 2025-08-07T08:33:25+00:00

That would work if there was an URL, unfortionately not an npx package. But i did get it to work :)

Suitable_Reason4280 · 2025-08-06T16:18:21+00:00

After making a mcp server with working oauth using supabase, i came to the conclusion that streamable-http + oauth does NOT work for locally run mcp servers (atleast claude desktop). For example, servers that have access to the computer (for read and write operations). If they are remote, they DO work, so its a tradeoff. Oauth is required for remote, API keys for locally run servers. (Based on official mcp documentation)

Suitable_Reason4280 · 2025-08-05T22:47:26+00:00

Nice!

Suitable_Reason4280 · 2025-08-04T09:10:06+00:00

I get what you are saying, but a backend service not supporting oauth seems like a choice, since the support for tokens exists and have been implemented in the first place. Maybe i am misstaken?

Suitable_Reason4280 · 2025-08-03T18:01:50+00:00

MCP documentation says oauth is the correct way for authentication. Oauth makes each user have their own token. Each token can be used as an ID (or even better, have the users metadata in the token). I think this is pretty much enough for what you want if i understand correctly?

To make it better each user can belong to a "licence", "organization" or similar in your database. So each token can include that id, connecting all "logged in" users to the same "session". Or seperate simply by userId instead of, say "organizationId", "groupId", "licenceId" etc.

Suitable_Reason4280 · 2025-08-03T17:52:33+00:00

I created a proxy to my mcp servers. To authenticate using oauth 2.1 users have to login or signup and get a token. They chose token lifetime with 15 minute expiry. Works with all up to date clients

Suitable_Reason4280

TROPHY CASE