mcp-server
Provides a Model Context Protocol (MCP) server implemented in Rust (Axum, Shuttle) with an OAuth 2.1/Auth0-based authentication flow. It exposes MCP JSON-RPC 2.0 endpoints (public initialize/handshake, protected tools/resources/prompts) and includes built-in tools/resources/prompts plus a registry-based architecture for extending capabilities.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Uses OAuth 2.1/Auth0 and requires authentication for tools/resources/prompts. Secrets are configured via Secrets.toml (environment/secret file) and a SESSION_JWT_SECRET is required. The provided content does not describe TLS requirements explicitly (assumed HTTPS in production via Shuttle URLs), does not specify authorization scopes/least-privilege, does not describe rate limiting, and provides no detail on secure logging practices or dependency audit status.
⚡ Reliability
Best When
You want a Rust-based MCP server scaffold with OAuth2/OIDC-style login (Auth0) and a registry-driven way to add tools/resources/prompts.
Avoid When
You need documented REST/OpenAPI contracts or SDKs beyond the MCP JSON-RPC interface, or you require explicit, documented rate limits and consistent error-code semantics.
Use Cases
- • Serve MCP clients (e.g., Claude/other MCP inspectors) with authenticated tool/resource/prompt access
- • Build an authenticated “tool server” that exposes text/AI/db/time utilities via MCP
- • Use PostgreSQL-backed resources (e.g., user stats) and extend with custom tools/resources/prompts
- • Quickly scaffold an MCP server with OAuth 2.1 and Shuttle deployment
Not For
- • Public unauthenticated access to tools/resources/prompts (those are described as protected)
- • Use as a drop-in solution without setting required OAuth/client secrets and session JWT secret
- • Production use without validating MCP compliance details, error formats, and security hardening beyond the template-level README claims
Interface
Authentication
The README describes OAuth 2.1 with Auth0 and that tools/resources/prompts are protected. It does not specify token scopes/permissions granularity in the provided content.
Pricing
No pricing information is provided; costs depend on Shuttle hosting and external services (e.g., Auth0/OpenAI if configured).
Agent Metadata
Known Gotchas
- ⚠ Protected methods require authenticated session/token (handle OAuth flow before tools/resources/prompts).
- ⚠ Transport/endpoint details rely on the MCP client configuration (e.g., Inspector uses Streamable HTTP and Proxy Session Token).
- ⚠ No explicit mention of tool-level idempotency or retry behavior; agent should assume tool calls may have side effects or variable latency (especially AI/db-backed tools).
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for mcp-server.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-04-04.