mcp s

This MCP server collection provides streaming HTTP MCP servers that integrate with Pomerium to add authentication, authorization, and OAuth 2.1 workflows for internal MCP endpoints. The Notion server demonstrates how to proxy requests to Notion on behalf of an authenticated user, including scopes and token handling, while the SQLite server offers a simple readonly MCP endpoint that queries a SQLite database. Each server is designed to run behind Pomerium, which handles TLS termination and token exchange, enabling external clients to securely call internal MCP endpoints. To use them, deploy the servers behind your Pomerium gateway and configure routes that map external MCP client requests to the internal MCP server paths (for example /mcp). The system will issue External Tokens (TE) to clients and manage Internal Tokens (TI) for upstream OAuth providers as needed.

Prerequisites:

• Linux or macOS host
• Docker and Docker Compose installed
• A domain with TLS termination via Pomerium (or access to port 443 for TLS, as required by your setup)

Installation steps:

1. Install Docker and Docker Compose on your host.

2. Clone this repository or pull the needed Docker images:

   • git clone https://github.com/pomerium/mcp-servers
   • cd mcp-servers

3. Prepare your pomerium-config.yaml to route external MCP clients to the internal MCP servers. Example placeholders: routes:

   • from: https://my-mcp-server.example.com to: http://localhost:8080/mcp name: Notion MCP mcp: {}

4. Start the services (example using Docker):

   • docker compose up -d
   • Or run individual servers directly: docker run -d --name mcp-notion -e NOTION_CLIENT_ID=... -e NOTION_CLIENT_SECRET=... pomerium/mcp-servers:main docker run -d --name mcp-sqlite -e SQLITE_DB_PATH=/data/database.db pomerium/mcp-servers:main

5. Verify the MCP endpoints are reachable behind Pomerium at the configured routes and that TLS certificates are issued if using public domains.

Prereq tips:

• Ensure port 443 is accessible publicly if you rely on Let's Encrypt TLS.
• Update pomerium-config.yaml to include the appropriate routes and mcp settings for each server you deploy.

Notes and tips:

• The repository demonstrates how to pair MCP servers with Pomerium for OAuth 2.1 flows; external clients will receive TE tokens, while Pomerium manages TI tokens with upstream providers.
• For Notion integration, ensure you configure the Notion OAuth client and scopes correctly in Notion and in Pomerium.
• If you run locally without public TLS, you may need to use a self-signed cert or a local CA, but public MCP clients require valid TLS certificates.
• The mcp_config entries assume the Docker image pomerium/mcp-servers:main; adjust image tags as needed for stability or features.
• When deploying multiple MCP servers, keep separate environment variable sets per server to avoid cross-contamination.