Discord MCP Server with Bearer Token Authentication
A secure Discord MCP (Model Context Protocol) server that provides Discord integration tools with JWT Bearer Token authentication.
๐ Security Features
- Bearer Token Authentication using JWT tokens
- Discord token protection - tokens are embedded in JWT claims, not passed as parameters
- Audit logging - all tool calls are logged with user information
- Temporary bot connections - no persistent Discord bot instances
- RSA key pair encryption for token signing and verification
๐ Available Tools
Tool | Description |
---|---|
send_message |
Send messages to Discord channels |
get_messages |
Fetch recent messages from channels |
get_channel_info |
Get channel metadata and information |
search_messages |
Search for messages containing keywords |
moderate_content |
Delete specific messages from channels |
๐ Setup and Installation
Prerequisites
- Python 3.8+
- Discord bot token with appropriate permissions
- Virtual environment (recommended)
Installation
Install dependencies (already installed in your venv):
pip install discord.py fastapi fastmcp uvicorn python-dotenv PyJWT
Create a Discord bot and get your bot token:
- Go to Discord Developer Portal
- Create a new application and bot
- Copy the bot token
- Invite the bot to your server with necessary permissions
Set up environment variables (optional):
# Create .env file echo "DISCORD_TOKEN=your_discord_bot_token_here" > .env
๐โโ๏ธ Running the Server
Start the Server
python app.py
The server will start on http://localhost:8000
and display:
- Available tools
- Authentication information
- Token generation instructions
Generate Access Token
Replace YOUR_DISCORD_TOKEN
with your actual Discord bot token:
python -c "from app import generate_access_token; print(generate_access_token('YOUR_DISCORD_TOKEN'))"
๐ง Using the Server
Authentication
All requests must include a JWT Bearer token in the Authorization header:
Authorization: Bearer <your_jwt_token>
Making Tool Calls
Endpoint: POST /mcp/v1/tools/invoke
Headers:
Authorization: Bearer <your_jwt_token>
Content-Type: application/json
Request Format:
{
"method": "tool_name",
"params": {
"parameter1": "value1",
"parameter2": "value2"
}
}
Examples
Get Channel Information
curl -X POST http://localhost:8000/mcp/v1/tools/invoke \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"method": "get_channel_info",
"params": {
"channel_id": "1234567890123456789"
}
}'
Send a Message
curl -X POST http://localhost:8000/mcp/v1/tools/invoke \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"method": "send_message",
"params": {
"channel_id": "1234567890123456789",
"message": "Hello from MCP server!"
}
}'
Search Messages
curl -X POST http://localhost:8000/mcp/v1/tools/invoke \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"method": "search_messages",
"params": {
"channel_id": "1234567890123456789",
"query": "hello",
"limit": 10
}
}'
๐งช Testing
Use the provided test script to verify your setup:
# Update YOUR_DISCORD_TOKEN in test_server.py first
python test_server.py
๐ Monitoring and Logs
- Audit logs are written to
audit.log
- Server logs are displayed in the console
- Each tool call is logged with user ID, parameters, and success/failure status
๐๏ธ Architecture
Authentication Flow
- Token Generation: Discord token is embedded in JWT claims
- Request Authentication: JWT is validated using RSA public key
- Token Extraction: Discord token is extracted from validated JWT
- Tool Execution: Temporary Discord bot connection is created
- Cleanup: Bot connection is properly closed after operation
Security Benefits
- No token exposure: Discord tokens never appear in request parameters
- Centralized auth: Single authentication point for all tools
- Audit trail: Complete logging of all authenticated operations
- Temporary connections: No persistent bot instances reduce attack surface
๐ Security Considerations
Development vs Production
- Development: Uses generated RSA key pairs (current setup)
- Production: Should use external OAuth 2.1 provider or IdP
Token Security
- JWT tokens expire after 1 hour (configurable)
- Discord tokens are embedded in JWT claims, not visible in requests
- RSA encryption ensures token integrity
Best Practices
- Rotate tokens regularly in production
- Use HTTPS for all communications
- Store Discord tokens securely (environment variables, secrets manager)
- Monitor audit logs for unusual activity
- Implement rate limiting if needed
๐ค Integration with MCP Clients
This server follows the MCP specification and can be used with:
- Claude Desktop with MCP integration
- Custom MCP clients
- API testing tools (Postman, curl, etc.)
๐ References
๐ Troubleshooting
Common Issues
"No Discord token found in authentication"
- Verify your JWT token contains the Discord token in claims
- Check token generation with correct Discord bot token
"Bot doesn't have permission"
- Ensure Discord bot has necessary permissions in the server
- Check channel permissions specifically
"Server not reachable"
- Verify server is running on localhost:8000
- Check for port conflicts
"Invalid token"
- Token may be expired (1 hour default)
- Generate a new token
- Verify token format in Authorization header