sample-multi-tenant-saas
Multi-Tenant remote MCP server with Amazon Cognito and remote client with Amazon Bedrock hosted on AWS
claude mcp add --transport stdio aws-samples-sample-multi-tenant-saas-mcp-server node mcp_server/server.js \ --env S3_BUCKET="YourS3BucketName" \ --env DATA_REGION="your_aws_region_for_data_store" \ --env ENVIRONMENT="development|staging|production" \ --env COGNITO_REGION="your_aws_region" \ --env DYNAMODB_TABLE="YourDynamoDBTableName" \ --env JWT_SIGNING_KEY="your_jwt_signing_key_or_secret" \ --env COGNITO_CLIENT_ID="your_cognito_client_id" \ --env COGNITO_USER_POOL_ID="your_cognito_user_pool_id" \ --env OPENID_CONFIGURATION_URL="https://your-domain/.well-known/openid-configuration"
How to use
This MCP server implements a multi-tenant remote MCP server using a secure, RFC-compliant OpenID Connect flow for authentication and authorization. It supports dynamic client registration and per-tenant data isolation leveraging AWS services such as Cognito for identity, DynamoDB for metadata and resource state, and S3 for storage. The server exposes an OpenID configuration endpoint to advertise its registration capabilities and supports RFC 9728 protected metadata resources. To use it, deploy the server and connect MCP clients (for example, an AWS Bedrock-based client UI) to the server’s endpoint. Tenants will authenticate via Cognito, obtain access tokens, and the server will enforce multi-tenant isolation and authorization policies per tenant. The included client UI demonstrates remote MCP server management, OAuth integration, and real-time MCP tools, resources, and prompts, enabling operators to register and manage multiple MCP servers from a single interface.
How to install
Prerequisites:
- Node.js v14+ and npm
- AWS credentials configured (for deployment and AWS service access if using AWS resources)
- Git
Install and run:
-
Clone the repository git clone <repository-url> cd sample-multi-tenant-saas
-
Install server dependencies cd mcp_server npm install
-
Configure environment Create or update a .env file or set environment variables as shown in the mcp_config section. Required values include Cognito user pool details, region, and data store identifiers.
-
Start the MCP server (local development) node mcp_server/server.js
-
Optional deployment (infra) cd mcp_server/infra npm install ./deploy.sh
Note: If your deployment uses Docker, adapt the command to run the container with the same environment variables. The Quick Start mentions an infra deployment script, so ensure your CI/CD or deployment target has the required AWS permissions and network configuration.
Additional notes
Tips and considerations:
- Ensure Cognito user pool configuration aligns with your tenant provisioning flow (multi-tenant authentication and authorization via OAuth 2.1).
- Use RFC 7591 for dynamic client registration and RFC 8414 for the OpenID configuration discovery endpoint.
- The server relies on per-tenant isolation in DynamoDB and S3; verify IAM roles and bucket policies for restricted access.
- Monitor logs and enable appropriate observability (CloudWatch, X-Ray, or your preferred logging solution).
- When developing or testing locally, keep environment variables in a secure, non-committed store and use separate environments for development, staging, and production.
- If you encounter issues with token validation, verify that the JWT_SIGNING_KEY and COGNITO configuration are in sync with the Cognito setup.
Related MCP Servers
aws
Talk with your AWS using Claude. Model Context Protocol (MCP) server for AWS. Better Amazon Q alternative.
furi
CLI & API for MCP management
globalping
Remote MCP server that gives LLMs access to run network commands
aws
An MCP(Model Context Protocol) Server for AWS services
serverless s-cdk
Sample implementations of MCP Servers running on AWS Serverless compute Resources
mcp-install-instructions-generator
Generate MCP Server Installation Instructions for Cursor, Visual Studio Code, Claude Code, Claude Desktop, Windsurf, ChatGPT, Gemini CLI and more
