How does it work
@pomerium
关于 How does it work
Demo application showcasing how to build and secure MCP servers and clients with Pomerium using contextual access policies.
基本信息
配置
使用下面的配置,将此服务器添加到你的 MCP 客户端。
{
"mcpServers": {
"mcp-app-demo": {
"command": "docker",
"args": [
"compose",
"up",
"-d"
]
}
}
}工具
未检测到工具
工具是从 README 中自动提取的。维护者可以在 ## Tools 标题下列出工具,即可填充这部分内容。
概览
What is How does it work?
Pomerium Chat is a minimal chat application that demonstrates how to secure remote Model Context Protocol (MCP) servers with Pomerium. It integrates MCP clients (like Claude.ai or OpenAI) with internal MCP servers behind Pomerium’s authentication and authorization gateway, and is intended for developers building agentic frameworks or internal apps that invoke MCP servers.
How to use How does it work?
Set up the required environment variables in .env-mcp-app-demo (an OpenAI API key), configure Pomerium routes in pomerium-config.yaml with your domain, and run docker compose up -d. The demo includes a SQLite MCP server. After signing in at https://mcp-app-demo.YOUR-DOMAIN/, you can query the database via natural language.
Key features of How does it work
- Secures local HTTP MCP servers with Pomerium’s OAuth 2.1 gateway
- Supports upstream OAuth flows for services like GitHub or Google Drive
- External clients never see upstream OAuth tokens (TI)
- MCP servers can remain stateless and token‑free
- Provides an endpoint to list available MCP servers and their connection status
- Allows redirecting users to complete upstream OAuth authentication
Use cases of How does it work
- Exposing an internal database MCP server to remote MCP clients like Claude.ai
- Building internal applications that call MCP servers via LLM APIs (OpenAI, Claude)
- Secure proxying of MCP requests that require upstream OAuth tokens
FAQ from How does it work
What are the prerequisites for running the demo?
You need a Linux or macOS host, Docker and Docker Compose, port 443 exposed to the internet for Let’s Encrypt TLS, and an OpenAI API key.
How does Pomerium handle authentication for MCP servers?
Pomerium sits between MCP clients and servers, managing sign‑in via its own interface. It issues an External Token (TE) to the client and, if needed, obtains an Internal Token (TI) from an upstream OAuth provider – the client never sees TI.
What is the difference between External Token (TE) and Internal Token (TI)?
TE is an externally‑facing token from Pomerium used by clients to authenticate requests to MCP servers. TI is an internal token that Pomerium obtains from an upstream OAuth provider and passes to the MCP server when proxying requests.
How do I make an MCP server accessible to an external client?
Configure a Pomerium route with the mcp property (e.g., mcp: server: {}) pointing to the internal MCP server. Pomerium then handles authentication and authorization for all incoming requests.
How can my own application obtain an External Token for an MCP server?
Enable mcp.pass_upstream_access_token on your app’s route. Pomerium will supply the backend with an Authorization header containing the External Token, which can then be forwarded to LLM APIs or agentic frameworks.
其他 分类下的更多 MCP 服务器
Core Philosophy: Connect, Unify, Respond
mindsdbDelegate anything. It comes back done.

EverArt
modelcontextprotocolModel Context Protocol Servers
Activepieces
activepiecesAI Agents & MCPs & AI Workflow Automation • (~400 MCP servers for AI agents) • AI Automation / AI Agent with MCPs • AI Workflows & AI Agents • MCPs for AI Agents
FastMCP v2 🚀
jlowin🚀 The fast, Pythonic way to build MCP servers and clients.
AutoBrowser MCP
autobrowser-aiBrowser MCP is a Model Context Provider (MCP) server that allows AI applications to control your browser
评论