mcp-boilerplate
Boilerplate for building a remote MCP server on Cloudflare Workers that provides user authentication (Google or GitHub via OAuth) and Stripe-based monetization (free vs paid tools, including subscription and other billing modes). It exposes an SSE endpoint for the MCP tooling and includes example tool implementations using Zod and Stripe’s MCP/Cloudflare agent toolkit.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Strengths inferred from README: OAuth login with a dedicated KV namespace and an explicit cookie encryption key via env var; secrets are configured through .dev.vars/Cloudflare secrets rather than hard-coded. Uncertainties: provided content does not specify TLS enforcement details, secure cookie flags (HttpOnly/SameSite/Secure), CSRF protections for OAuth callback/session creation, passwordless token handling details, tool-level authorization granularity, or dependency/security scanning results. Rate limiting and abuse protections are not described.
⚡ Reliability
Best When
You want a quick starting point for an MCP server that will run on Cloudflare and you’re comfortable configuring OAuth and Stripe billing.
Avoid When
You need strong operational guarantees (SLA, long-term stability assurances) or a fully specified public API contract with comprehensive error and rate-limit semantics.
Use Cases
- • Build a hosted MCP tool server on Cloudflare Workers
- • Add OAuth login (Google/GitHub) for end-users
- • Gate MCP tools behind Stripe subscriptions or metered/one-time payments
- • Use with AI assistant clients (Cursor/Claude) and MCP Inspector for testing
Not For
- • Use as-is without reviewing security and payment flow code paths
- • Use when you need a standard REST/GraphQL API instead of an MCP/SSE transport
- • Use when you require a published SLA or documented production reliability guarantees
- • Teams wanting turnkey deployment without OAuth/Stripe/Cloudflare configuration
Interface
Authentication
README describes OAuth client setup and a Cloudflare KV namespace (OAUTH_KV) for login state/storage. It does not describe fine-grained API scopes for MCP tools at the auth layer.
Pricing
No explicit free-trial/limits are documented in provided content. Costs depend on your Stripe plan/product configuration and Cloudflare usage.
Agent Metadata
Known Gotchas
- ⚠ OAuth redirect URIs differ between localhost and deployed worker; misconfiguration will block authentication flow.
- ⚠ Stripe Customer Billing Portal may require enabling test-mode portal configuration before the check_user_subscription_status tool can return a usable billingPortal.url.
- ⚠ README warns MCP Inspector versioning (0.12.0 vs 0.11.0) and that @latest may not work right now, which can affect debugging workflows.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for mcp-boilerplate.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.