mcp-proxy 5.5.6 → 5.6.0

package/README.md

@@ -37,6 +37,7 @@ options:
 - `--port`: Specify the port to listen on (default: 8080)
 - `--debug`: Enable debug logging
 - `--shell`: Spawn the server via the user's shell
+- `--apiKey`: API key for authenticating requests (uses X-API-Key header)
 
 ### Passing arguments to the wrapped command
 
@@ -83,6 +84,64 @@ npx mcp-proxy --port 8080 --stateless --server stream tsx server.js
 - **Request isolation**: When you need complete independence between requests
 - **Simple deployments**: When you don't need to maintain connection state
 
+### API Key Authentication
+
+MCP Proxy supports optional API key authentication to secure your endpoints. When enabled, clients must provide a valid API key in the `X-API-Key` header to access the proxy.
+
+#### Enabling Authentication
+
+Authentication is disabled by default for backward compatibility. To enable it, provide an API key via:
+
+**Command-line:**
+```bash
+npx mcp-proxy --port 8080 --apiKey "your-secret-key" tsx server.js
+```
+
+**Environment variable:**
+```bash
+export MCP_PROXY_API_KEY="your-secret-key"
+npx mcp-proxy --port 8080 tsx server.js
+```
+
+#### Client Configuration
+
+Clients must include the API key in the `X-API-Key` header:
+
+```typescript
+// For streamable HTTP transport
+const transport = new StreamableHTTPClientTransport(
+  new URL('http://localhost:8080/mcp'),
+  {
+    headers: {
+      'X-API-Key': 'your-secret-key'
+    }
+  }
+);
+
+// For SSE transport
+const transport = new SSEClientTransport(
+  new URL('http://localhost:8080/sse'),
+  {
+    headers: {
+      'X-API-Key': 'your-secret-key'
+    }
+  }
+);
+```
+
+#### Exempt Endpoints
+
+The following endpoints do not require authentication:
+- `/ping` - Health check endpoint
+- `OPTIONS` requests - CORS preflight requests
+
+#### Security Notes
+
+- **Use HTTPS in production**: API keys should only be transmitted over secure connections
+- **Keep keys secure**: Never commit API keys to version control
+- **Generate strong keys**: Use cryptographically secure random strings for API keys
+- **Rotate keys regularly**: Change API keys periodically for better security
+
 ### Node.js SDK
 
 The Node.js SDK provides several utilities that are used to create a proxy.
@@ -137,6 +196,7 @@ Options:
 - `sseEndpoint`: SSE endpoint path (default: "/sse", set to null to disable)
 - `streamEndpoint`: Streamable HTTP endpoint path (default: "/mcp", set to null to disable)
 - `stateless`: Enable stateless mode for HTTP streamable transport (default: false)
+- `apiKey`: API key for authenticating requests (optional)
 - `onConnect`: Callback when a server connects (optional)
 - `onClose`: Callback when a server disconnects (optional)
 - `onUnhandledRequest`: Callback for unhandled HTTP requests (optional)

package/dist/bin/mcp-proxy.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { Client, InMemoryEventStore, ReadBuffer, Server, __commonJS, __toESM, proxyServer, serializeMessage, startHTTPServer } from "../stdio-CQWnvum1.js";
+import { Client, InMemoryEventStore, ReadBuffer, Server, __commonJS, __toESM, proxyServer, serializeMessage, startHTTPServer } from "../stdio-Cm2W-uxV.js";
 import { createRequire } from "node:module";
 import { basename, dirname, extname, join, normalize, relative, resolve } from "path";
 import { format, inspect } from "util";
@@ -5057,6 +5057,10 @@ const argv = await yargs_default(hideBin(process.argv)).scriptName("mcp-proxy").
 	describe: "The arguments to pass to the command",
 	type: "string"
 }).env("MCP_PROXY").parserConfiguration({ "populate--": true }).options({
+	apiKey: {
+		describe: "API key for authenticating requests (uses X-API-Key header)",
+		type: "string"
+	},
 	debug: {
 		default: false,
 		describe: "Enable debug logging",
@@ -5142,6 +5146,7 @@ const proxy = async () => {
 		return server$1;
 	};
 	const server = await startHTTPServer({
+		apiKey: argv.apiKey,
 		createServer,
 		eventStore: new InMemoryEventStore(),
 		host: argv.host,