This MCP server is a resource server built with TypeScript that demonstrates OAuth 2.0 token validation, workspace-scoped access, and Firestore-backed data for tools. The server registers a set of example tools under the MCP SDK patterns and protects tool calls with Bearer tokens issued by a separate OAuth Authorization Server. To use it, first obtain an access token from your Authorization Server, then call the MCP API endpoints with the token in the Authorization header. The repository illustrates how to structure tools, define input schemas with Zod, and wrap handlers with withWorkspaceAccess to enforce multi-tenant workspace permissions. After starting the server, you can explore the provided example tools, review the input schemas, and observe how Firestore is used to fetch user and workspace data during tool execution.

Prerequisites:

• Node.js v18+ (and npm or yarn)
• Access to a Firestore instance or Firestore Emulator running locally
• An OAuth 2.0 Authorization Server to issue tokens for testing

Install and run locally:

1. Clone the repository git clone https://github.com/portal-labs-infrastructure/mcp-server-blog cd mcp-server-blog

2. Install dependencies npm install

   or

   yarn install

3. Configure environment Copy the example env file and edit values: cp .env.example .env

   Fill in: PROJECT_ID, OAUTH_ISSUER_URL, BASE_URL, etc.

4. Build (typical for TypeScript projects) npm run build

5. Run the server npm start

   For development with auto-restart, you might use: npm run dev

6. Optional: Run with Firestore Emulator

   • Start emulator: gcloud emulators firestore start --host-port=localhost:8081
   • Ensure FIRESTORE_EMULATOR_HOST=localhost:8081 is set in the environment

Note: If you prefer not to build locally, you can also run via npx or a prebuilt dist if provided in the repo, but the recommended flow is to build and run with npm scripts as shown above.

Tips and common considerations:

• Ensure OAuth issuer URL and audience match what your Authorization Server issues in tokens.
• When developing locally, use Firestore Emulator and set FIRESTORE_EMULATOR_HOST accordingly to avoid hitting production data.
• The MCP HOC withWorkspaceAccess enforces workspace-level permissions; ensure your token contains the user/workspace claims expected by the middleware.
• Zod schemas are used for input validation; if you extend tools, define strong runtime validation to catch invalid inputs early.
• If you upgrade the MCP SDK, re-check the middleware interfaces for token validation and workspace extraction as the library evolves.
• For production, wrap sensitive config like OAuth endpoints and Firestore credentials in a secure environment variable store.