MCP Authentication
By default the MCP endpoint (POST /mcp) is open to any caller. Call .require_bearer(token) to gate every request behind a static Bearer token.
require_bearer
use rust_web_server::mcp::McpServer;
let mcp = McpServer::new("my-server", "1.0") .require_bearer(std::env::var("MCP_TOKEN").expect("MCP_TOKEN not set"));Every POST /mcp request must include:
Authorization: Bearer <token>A missing or incorrect token produces an immediate 401 Unauthorized before any JSON-RPC processing:
HTTP/1.1 401 UnauthorizedWWW-Authenticate: BearerContent-Type: text/plain
UnauthorizedLoading the token from an environment variable
Never hard-code the token in source code. The conventional variable is MCP_TOKEN:
use rust_web_server::app::App;use rust_web_server::core::New;
let mcp = App::new() .mcp("my-server", "1.0") .require_bearer( std::env::var("MCP_TOKEN").expect("MCP_TOKEN env var not set"), );Set the variable before starting the server:
export MCP_TOKEN="$(openssl rand -hex 32)"cargo runThe bundled rws binary reads MCP_TOKEN automatically when the config file enables the built-in MCP server.
Configuring Claude Desktop
Add the Authorization header to the server entry in claude_desktop_config.json:
{ "mcpServers": { "my-server": { "url": "http://localhost:7878/mcp", "headers": { "Authorization": "Bearer <your-token-here>" } } }}Replace <your-token-here> with the value of MCP_TOKEN.
Full example
use rust_web_server::server::Server;use rust_web_server::mcp::{McpServer, McpContent};
# #[cfg(not(feature = "http2"))]# fn main() {let token = std::env::var("MCP_TOKEN") .expect("Set MCP_TOKEN before starting the server");
let mcp = McpServer::new("secure-server", "1.0") .require_bearer(token) .tool( "ping", "Returns pong", r#"{"type":"object","properties":{}}"#, |_| Ok(McpContent::text("pong")), );
let (listener, pool) = Server::setup().unwrap();Server::run(listener, pool, mcp);# }CORS preflight
OPTIONS /mcp requests always receive 200 OK without checking the Bearer token. This allows browser-based MCP clients to complete the CORS preflight before attaching credentials.