mcp-server-example
A minimal, well-commented MCP server that connects to the Connext platform.
It demonstrates everything you need to build your own MCP server that your userscan connect to from Connext:
- ๐ Its own login & OAuth โ the server is its own OAuth 2.1 provider, with asimple username/password login page. A Connext user clicks "Connect", signs into your server, and Connext receives an access token on their behalf.
- ๐ ๏ธ An example tool (
roll_dice) โ an ordinary tool that returns text. - ๐จ An example MCP App (
greeting_card) โ a tool that returns a small HTMLUI which Connext renders inline in the chat. - ๐ค Per-user identity โ tools know which of your users is calling.
It is built on FastMCP, which handles the MCP protocoland the standard OAuth plumbing, so the only code you have to understand is the~150 lines that are specific to your application: your users, your login page,and your tools.
How it works
When a user connects this server in Connext, this is the flow (all standardOAuth 2.1 โ Connext drives it automatically):
Connext platform This MCP server
โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ
1. discover โโโโโโโโโโโโโโโโโโโโโโโโโโถ GET /.well-known/oauth-protected-resource/mcp
GET /.well-known/oauth-authorization-server
2. register (RFC 7591) โโโโโโโโโโโโโโโถ POST /register โ no manual client setup
3. send user to log in โโโโโโโโโโโโโโโถ GET /authorize
โโถ redirects the user's browser to:
4. user signs in โโโโโโโโโโโโโโโโโโโโโถ GET/POST /login โ YOUR login page
5. get a token โโโโโโโโโโโโโโโโโโโโโโโถ POST /token
6. call tools (Authorization: Bearer)โถ POST /mcp โ your tools run
You only write step 4 (the login page) and step 6 (the tools). FastMCP gives you1, 2, 3 and 5 for free.
Quick start
Requires Python 3.11+.
# 1. install
python -m venv .venv && source .venv/bin/activate
pip install -e .
# 2. run the server
python server.py
# -> serving on http://localhost:8000 (MCP endpoint: http://localhost:8000/mcp/)
# 3. in another terminal, connect to it like a real client would
python examples/connect_with_client.py
# -> opens your browser to the login page; sign in as alice / password123
Demo users live in auth.py:
| username | password |
|---|---|
alice |
password123 |
bob |
hunter2 |
Connecting it to Connext
Expose the server on a public HTTPS URL. Connext must be able to reachyour server's OAuth discovery endpoints, and for security it rejectsprivate/loopback addresses for those endpoints. For a quick test, tunnelyour local server:
# example with cloudflared / ngrok โ any tunnel works ngrok http 8000Then run the server with
PUBLIC_URLset to the tunnel URL, because everyOAuth endpoint it advertises is built fromPUBLIC_URL:PUBLIC_URL=https://your-tunnel.example.com python server.pyRegister it in Connext (Admin โ MCP Servers โ Add):
- URL:
https://your-tunnel.example.com/mcp - Transport:
HTTP - Auth:
OAuth - Leave client id/secret blank โ this server supports Dynamic ClientRegistration, so Connext registers itself automatically.
- To let the
greeting_cardMCP App render, enable Allow UI on the server.
- URL:
Connect as a user. Each user clicks Connect, signs in on your loginpage, and Connext stores their token. Now the agent can call
roll_diceandgreeting_cardas that user.
The files
| File | What it does |
|---|---|
server.py |
Entry point. Reads config, builds the FastMCP server, wires in auth + tools, runs it. |
auth.py |
The OAuth provider. Subclasses FastMCP's in-memory provider and adds one thing: a real login page (authorize() โ /login). Contains the demo user store. |
tools.py |
The two example tools and the ui:// resource for the MCP App. |
examples/connect_with_client.py |
A standalone client that runs the same OAuth flow Connext does โ handy for testing. |
.env.example |
Configuration (PUBLIC_URL, HOST, PORT). |
What an MCP App is
An MCP App is just a tool whose result includes a ui:// resource carryingHTML. Connext renders that HTML in a sandboxed iframe inside the chat. The twopieces (see tools.py):
# 1. mark the tool as having a UI
@mcp.tool(meta={"ui": {"resourceUri": "ui://acme/greeting-card", ...}})
async def greeting_card(message: str) -> ToolResult:
return ToolResult(
content=[
TextContent(text="..."), # what the model reads
EmbeddedResource(resource=TextResourceContents( # what the user sees
uri="ui://acme/greeting-card",
mimeType="text/html;profile=mcp-app",
text="<!doctype html>...")),
],
structured_content={"username": ..., "message": ...},
)
# 2. also serve the template via resources/read
@mcp.resource("ui://acme/greeting-card", mime_type="text/html;profile=mcp-app", ...)
async def greeting_card_template() -> str:
return "<!doctype html>..."
Keep the HTML self-contained (inline CSS, no external scripts) so it works underthe iframe's strict Content-Security-Policy. Use the var(--mcp-color-*) CSSvariables to match the host's light/dark theme.
Taking it to production
This example keeps everything in memory so it's easy to read. For a real server:
- Users: replace the
DEMO_USERSdict inauth.pywith your real userdatabase, and store hashed passwords (bcrypt/argon2) โ or delegate to yourexisting SSO/identity provider. - Tokens:
InMemoryOAuthProviderkeeps tokens in memory, so they are lost onrestart (users would re-connect). For production, persist them or issue signedJWTs (fastmcp.server.auth.providers.jwt). - HTTPS: terminate TLS in front of the server and set
PUBLIC_URLto thehttps://URL. - Scopes: this example uses a single
readscope. Add scopes and enforcethem per-tool via FastMCP'srequired_scopes/authoptions.
Verified flow
This example was tested end-to-end: dynamic client registration โ login (wrongpassword rejected, correct password accepted) โ token exchange โ authenticatedtools/list and tools/call โ token refresh โ rejection of unauthenticatedcalls. Tools correctly see the signed-in user via get_access_token().subject.