Skip to content

MCP Authentication

By default the MCP endpoint (POST /mcp) is open to any caller. Call .require_bearer(token) to gate every request behind a static Bearer token.

require_bearer

use rust_web_server::mcp::McpServer;
let mcp = McpServer::new("my-server", "1.0")
.require_bearer(std::env::var("MCP_TOKEN").expect("MCP_TOKEN not set"));

Every POST /mcp request must include:

Authorization: Bearer <token>

A missing or incorrect token produces an immediate 401 Unauthorized before any JSON-RPC processing:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer
Content-Type: text/plain
Unauthorized

Loading the token from an environment variable

Never hard-code the token in source code. The conventional variable is MCP_TOKEN:

use rust_web_server::app::App;
use rust_web_server::core::New;
let mcp = App::new()
.mcp("my-server", "1.0")
.require_bearer(
std::env::var("MCP_TOKEN").expect("MCP_TOKEN env var not set"),
);

Set the variable before starting the server:

Terminal window
export MCP_TOKEN="$(openssl rand -hex 32)"
cargo run

The bundled rws binary reads MCP_TOKEN automatically when the config file enables the built-in MCP server.

Configuring Claude Desktop

Add the Authorization header to the server entry in claude_desktop_config.json:

{
"mcpServers": {
"my-server": {
"url": "http://localhost:7878/mcp",
"headers": {
"Authorization": "Bearer <your-token-here>"
}
}
}
}

Replace <your-token-here> with the value of MCP_TOKEN.

Full example

use rust_web_server::server::Server;
use rust_web_server::mcp::{McpServer, McpContent};
# #[cfg(not(feature = "http2"))]
# fn main() {
let token = std::env::var("MCP_TOKEN")
.expect("Set MCP_TOKEN before starting the server");
let mcp = McpServer::new("secure-server", "1.0")
.require_bearer(token)
.tool(
"ping",
"Returns pong",
r#"{"type":"object","properties":{}}"#,
|_| Ok(McpContent::text("pong")),
);
let (listener, pool) = Server::setup().unwrap();
Server::run(listener, pool, mcp);
# }

CORS preflight

OPTIONS /mcp requests always receive 200 OK without checking the Bearer token. This allows browser-based MCP clients to complete the CORS preflight before attaching credentials.