MetaMCP

A self-hostable middleware to manage all your MCPs through a GUI and a local proxy, supporting multiple clients and workspaces.

View on GitHub β†’

πŸš€ MetaMCP (MCP Aggregator, Orchestrator, Middleware, Gateway in one docker)

MetaMCP is a MCP proxy that lets you dynamically aggregate MCP servers into a unified MCP server, and apply middlewares. MetaMCP itself is a MCP server so it can be easily plugged into ANY MCP clients.

MetaMCP Diagram

For more details, consider visiting our documentation site: https://docs.metamcp.com

English | δΈ­ζ–‡

πŸ“‹ Table of Contents

🎯 Use Cases

  • 🏷️ Group MCP servers into namespaces, host them as meta-MCPs, and assign public endpoints (SSE or Streamable HTTP), with auth. One-click to switch a namespace for an endpoint.
  • 🎯 Pick tools you only need when remixing MCP servers. Apply other pluggable middleware around observability, security, etc. (coming soon)
  • πŸ” Use as enhanced MCP inspector with saved server configs, and inspect your MetaMCP endpoints in house to see if it works or not.
  • πŸ” Use as Elasticsearch for MCP tool selection (coming soon)

Generally developers can use MetaMCP as infrastructure to host dynamically composed MCP servers through a unified endpoint, and build agents on top of it.

Quick demo video: https://youtu.be/Cf6jVd2saAs

MetaMCP Screenshot

πŸ“– Concepts

πŸ–₯️ MCP Server

A MCP server configuration that tells MetaMCP how to start a MCP server.

"HackerNews": {
  "type": "STDIO",
  "command": "uvx",
  "args": ["mcp-hn"]
}

🏷️ MetaMCP Namespace

  • Group one or more MCP servers into a namespace
  • Enable/disable MCP servers or at tool level
  • Apply middlewares to MCP requests and responses

🌐 MetaMCP Endpoint

  • Create endpoints and assign namespace to endpoints
  • Multiple MCP servers in the namespace will be aggregated and emitted as a MetaMCP endpoint
  • Choose auth level and strategy
  • Host through SSE or Streamable HTTP transports in MCP and OpenAPI endpoints for clients like Open WebUI

βš™οΈ Middleware

  • Intercepts and transforms MCP requests and responses at namespace level
  • Built-in example: "Filter inactive tools" - optimizes tool context for LLMs
  • Future ideas: tool logging, error traces, validation, scanning

πŸ” Inspector

Similar to the official MCP inspector, but with saved server configs - MetaMCP automatically creates configurations so you can debug MetaMCP endpoints immediately.

πŸš€ Quick Start

🐳 Run with Docker Compose (Recommended)

Clone repo, prepare .env, and start with docker compose:

git clone https://github.com/metatool-ai/metamcp.git
cd metamcp
cp example.env .env
docker compose up -d

If you modify APP_URL env vars, make sure you only access from the APP_URL, because MetaMCP enforces CORS policy on the URL, so no other URL is accessible.

Note that the pg volume name may collide with your other pg dockers, which is global, consider rename it in docker-compose.yml:

volumes:
  metamcp_postgres_data:
    driver: local

πŸ’» Local Development

Still recommend running postgres through docker for easy setup:

pnpm install
pnpm dev

πŸ”Œ MCP Protocol Compatibility

  • βœ… Tools, Resources, and Prompts supported
  • βœ… OAuth-enabled MCP servers tested for 03-26 version

If you have questions, feel free to leave GitHub issues or PRs.

πŸ”— Connect to MetaMCP

πŸ“ E.g., Cursor via mcp.json

Example mcp.json

{
  "mcpServers": {
    "MetaMCP": {
      "url": "http://localhost:12008/metamcp/<YOUR_ENDPOINT_NAME>/sse"
    }
  }
}

πŸ–₯️ Connecting Claude Desktop and Other STDIO-only Clients

Since MetaMCP endpoints are remote only (SSE, Streamable HTTP, OpenAPI), clients that only support stdio servers (like Claude Desktop) need a local proxy to connect.

Note: While mcp-remote is sometimes suggested for this purpose, it's designed for OAuth-based authentication and doesn't work with MetaMCP's API key authentication. Based on testing, mcp-proxy is the recommended solution.

Here's a working configuration for Claude Desktop using mcp-proxy:

Using Streamable HTTP

{
  "mcpServers": {
    "MetaMCP": {
      "command": "uvx",
      "args": [
        "mcp-proxy",
        "--transport",
        "streamablehttp",
        "http://localhost:12008/metamcp/<YOUR_ENDPOINT_NAME>/mcp"
      ],
      "env": {
        "API_ACCESS_TOKEN": "<YOUR_API_KEY_HERE>"
      }
    }
  }
}

Using SSE

{
  "mcpServers": {
    "ehn": {
      "command": "uvx",
      "args": [
        "mcp-proxy",
        "http://localhost:12008/metamcp/<YOUR_ENDPOINT_NAME>/sse"
      ],
      "env": {
        "API_ACCESS_TOKEN": "<YOUR_API_KEY_HERE>"
      }
    }
  }
}

Important notes:

  • Replace <YOUR_ENDPOINT_NAME> with your actual endpoint name
  • Replace <YOUR_API_KEY_HERE> with your MetaMCP API key (format: sk_mt_...)

For more details and alternative approaches, see issue #76.

πŸ”§ API Key Auth Troubleshooting

  • ?api_key= param api key auth doesn't work for SSE. It only works for Streamable HTTP and OpenAPI.
  • Best practice is to use the API key in Authorization: Bearer <API_KEY> header.
  • Try disable auth temporarily when you face connection issues to see if it is an auth issue.

❄️ Cold Start Problem and Custom Dockerfile

  • MetaMCP pre-allocate idle sessions for each configured MCP servers and MetaMCPs. The default idle session for each is 1 and that can help reduce cold start time.
  • If your MCP requires dependencies other than uvx or npx, you need to customize the Dockerfile to install dependencies on your own.
  • Check invalidation.md for a seq diagram about how idle session invalidates during updates.

πŸ› οΈ Solution: Customize the Dockerfile to add dependencies or pre-install packages to reduce cold start time.

πŸ” Authentication

  • πŸ›‘οΈ Better Auth for frontend & backend (TRPC procedures)
  • πŸͺ Session cookies enforce secure internal MCP proxy connections
  • πŸ”‘ API key authentication for external access via Authorization: Bearer <api-key> header
  • 🏒 Multi-tenancy: Designed for organizations to deploy on their own machines. Supports both private and public access scopes. Users can create MCPs, namespaces, endpoints, and API keys for themselves or for everyone. Public API keys cannot access private MetaMCPs.

πŸ”— OpenID Connect (OIDC) Provider Support

MetaMCP supports OpenID Connect authentication for enterprise SSO integration. This allows organizations to use their existing identity providers (Auth0, Keycloak, Azure AD, etc.) for authentication.

πŸ› οΈ Configuration

Add the following environment variables to your .env file:

# Required
OIDC_CLIENT_ID=your-oidc-client-id
OIDC_CLIENT_SECRET=your-oidc-client-secret
OIDC_DISCOVERY_URL=https://your-provider.com/.well-known/openid-configuration

# Optional customization
OIDC_PROVIDER_ID=oidc
OIDC_SCOPES=openid email profile
OIDC_PKCE=true

🏒 Supported Providers

MetaMCP has been tested with popular OIDC providers:

  • Auth0: https://your-domain.auth0.com/.well-known/openid-configuration
  • Keycloak: https://your-keycloak.com/realms/your-realm/.well-known/openid-configuration
  • Azure AD: https://login.microsoftonline.com/your-tenant-id/v2.0/.well-known/openid-configuration
  • Google: https://accounts.google.com/.well-known/openid-configuration
  • Okta: https://your-domain.okta.com/.well-known/openid-configuration

πŸ”’ Security Features

  • πŸ” PKCE (Proof Key for Code Exchange) enabled by default
  • πŸ›‘οΈ Authorization Code Flow with automatic user creation
  • πŸ”„ Auto-discovery of OIDC endpoints
  • πŸͺ Seamless session management with existing auth system

πŸ“± Usage

Once configured, users will see a "Sign in with OIDC" button on the login page alongside the email/password form. The authentication flow automatically creates new users on first login.

For more detailed configuration examples and troubleshooting, see CONTRIBUTING.md.

🌐 Custom Deployment and SSE conf for Nginx

If you want to deploy it to a online service or a VPS, a instance of at least 2GB-4GB of memory is required. And the larger size, the better performance.

Since MCP leverages SSE for long connection, if you are using reverse proxy like nginx, please refer to an example setup nginx.conf.example

πŸ—οΈ Architecture

  • Frontend: Next.js
  • Backend: Express.js with tRPC, hosting MCPs through TS SDK and internal proxy
  • Auth: Better Auth
  • Structure: Standalone monorepo with Turborepo and Docker publishing

πŸ“Š Sequence Diagram

Note: Prompts and resources follow similar patterns to tools.

sequenceDiagram
    participant MCPClient as MCP Client (e.g., Claude Desktop)
    participant MetaMCP as MetaMCP Server
    participant MCPServers as Installed MCP Servers

    MCPClient ->> MetaMCP: Request list tools

    loop For each listed MCP Server
        MetaMCP ->> MCPServers: Request list_tools
        MCPServers ->> MetaMCP: Return list of tools
    end

    MetaMCP ->> MetaMCP: Aggregate tool lists & apply middleware
    MetaMCP ->> MCPClient: Return aggregated list of tools

    MCPClient ->> MetaMCP: Call tool
    MetaMCP ->> MCPServers: call_tool to target MCP Server
    MCPServers ->> MetaMCP: Return tool response
    MetaMCP ->> MCPClient: Return tool response

πŸ—ΊοΈ Roadmap

Potential next steps:

  • πŸ”Œ Headless Admin API access
  • πŸ” Dynamically apply search rules on MetaMCP endpoints
  • πŸ› οΈ More middlewares
  • πŸ’¬ Chat/Agent Playground
  • πŸ§ͺ Testing & Evaluation for MCP tool selection optimization
  • ⚑ Dynamically generate MCP servers

🌐 i18n

See README-i18n.md

Currently en and zh locale are supported, but welcome contributions.

🀝 Contributing

We welcome contributions! See details at CONTRIBUTING.md

πŸ“„ License

MIT

Would appreciate if you mentioned with back links if your projects use the code.

πŸ™ Credits

Some code inspired by:

Not directly used the code by took ideas from

Related Servers