Connect an MCP Client that only supports local (stdio) servers to a Remote MCP Server, with auth support:
Note: this is a working proof-of-concept but should be considered experimental.
So far, the majority of MCP servers in the wild are installed locally, using the stdio transport. This has some benefits: both the client and the server can implicitly trust each other as the user has granted them both permission to run. Adding secrets like API keys can be done using environment variables and never leave your machine. And building on npx and uvx has allowed users to avoid explicit install steps, too.
But there's a reason most software that could be moved to the web did get moved to the web: it's so much easier to find and fix bugs & iterate on new features when you can push updates to all your users with a single deploy.
With the latest MCP Authorization specification, we now have a secure way of sharing our MCP servers with the world without running code on user's laptops. Or at least, you would, if all the popular MCP clients supported it yet. Most are stdio-only, and those that do support HTTP+SSE don't yet support the OAuth flows required.
That's where mcp-remote comes in. As soon as your chosen MCP client supports remote, authorized servers, you can remove it. Until that time, drop in this one liner and dress for the MCP clients you want!
All the most popular MCP clients (Claude Desktop, Cursor & Windsurf) use the following config format:
{
"mcpServers": {
"remote-example": {
"command": "npx",
"args": [
"mcp-remote",
"https://remote.mcp.server/sse"
]
}
}
}
To bypass authentication, or to emit custom headers on all requests to your remote server, pass --header CLI arguments:
{
"mcpServers": {
"remote-example": {
"command": "npx",
"args": [
"mcp-remote",
"https://remote.mcp.server/sse",
"--header",
"Authorization: Bearer ${AUTH_TOKEN}"
],
"env": {
"AUTH_TOKEN": "..."
}
},
}
}
Note: Cursor and Claude Desktop (Windows) have a bug where spaces inside args aren't escaped when it invokes npx, which ends up mangling these values. You can work around it using:
npx is producing errors, consider adding -y as the first argument to auto-accept the installation of the mcp-remote package. "command": "npx",
"args": [
"-y"
"mcp-remote",
"https://remote.mcp.server/sse"
]
npx to always check for an updated version of mcp-remote, add the @latest flag: "args": [
"mcp-remote@latest",
"https://remote.mcp.server/sse"
]
mcp-remote listens for an OAuth redirect (by default 3334), add an additional argument after the server URL. Note that whatever port you specify, if it is unavailable an open port will be chosen at random. "args": [
"mcp-remote",
"https://remote.mcp.server/sse",
"9696"
]
mcp-remote registers as the OAuth callback URL (by default localhost), add the --host flag. "args": [
"mcp-remote",
"https://remote.mcp.server/sse",
"--host",
"127.0.0.1"
]
--allow-http flag. Note: This should only be used in secure private networks where traffic cannot be intercepted. "args": [
"mcp-remote",
"http://internal-service.vpc/sse",
"--allow-http"
]
--debug flag. This will write verbose logs to ~/.mcp-auth/{server_hash}_debug.log with timestamps and detailed information about the auth process, connections, and token refreshing. "args": [
"mcp-remote",
"https://remote.mcp.server/sse",
"--debug"
]
MCP Remote supports different transport strategies when connecting to an MCP server. This allows you to control whether it uses Server-Sent Events (SSE) or HTTP transport, and in what order it tries them.
Specify the transport strategy with the --transport flag:
npx mcp-remote https://example.remote/server --transport sse-only
Available Strategies:
http-first (default): Tries HTTP transport first, falls back to SSE if HTTP fails with a 404 errorsse-first: Tries SSE transport first, falls back to HTTP if SSE fails with a 405 errorhttp-only: Only uses HTTP transport, fails if the server doesn't support itsse-only: Only uses SSE transport, fails if the server doesn't support itMCP Remote supports providing static OAuth client metadata instead of using the mcp-remote defaults. This is useful when connecting to OAuth servers that expect specific client/software IDs or scopes.
Provide the client metadata as a JSON string or as a @ prefixed filepath with the --static-oauth-client-metadata flag:
npx mcp-remote https://example.remote/server --static-oauth-client-metadata '{ "scope": "space separated scopes" }'
# uses node readfile, so you probably want to use absolute paths if you're not sure what the cwd is
npx mcp-remote https://example.remote/server --static-oauth-client-metadata '@/Users/username/Library/Application Support/Claude/oauth_client_metadata.json' Static OAuth Client Information
Per the spec, servers are encouraged but not required to support OAuth dynamic client registration.
For these servers, MCP Remote supports providing static OAuth client information instead. This is useful when connecting to OAuth servers that require pre-registered clients.
Provide the client metadata as a JSON string or as a @ prefixed filepath with the --static-oauth-client-info flag:
export MCP_REMOTE_CLIENT_ID=xxx
export MCP_REMOTE_CLIENT_SECRET=yyy
npx mcp-remote https://example.remote/server --static-oauth-client-info "{ \"client_id\": \"$MCP_REMOTE_CLIENT_ID\", \"client_secret\": \"$MCP_REMOTE_CLIENT_SECRET\" }"
# uses node readfile, so you probably want to use absolute paths if you're not sure what the cwd is
npx mcp-remote https://example.remote/server --static-oauth-client-info '@/Users/username/Library/Application Support/Claude/oauth_client_info.json'
In order to add an MCP server to Claude Desktop you need to edit the configuration file located at:
~/Library/Application Support/Claude/claude_desktop_config.json%APPDATA%\Claude\claude_desktop_config.jsonIf it does not exist yet, you may need to enable it under Settings > Developer.
Restart Claude Desktop to pick up the changes in the configuration file. Upon restarting, you should see a hammer icon in the bottom right corner of the input box.
Official Docs. The configuration file is located at ~/.cursor/mcp.json.
As of version 0.48.0, Cursor supports unauthed SSE servers directly. If your MCP server is using the official MCP OAuth authorization protocol, you still need to add a "command" server and call mcp-remote.
Official Docs. The configuration file is located at ~/.codeium/windsurf/mcp_config.json.
For instructions on building & deploying remote MCP servers, including acting as a valid OAuth client, see the following resources:
In particular, see:
McpAgent using the agents framework.For more information about testing these servers, see also:
Know of more resources you'd like to share? Please add them to this Readme and send a PR!
Clear your~/.mcp-auth directory
mcp-remote stores all the credential information inside ~/.mcp-auth (or wherever your MCP_REMOTE_CONFIG_DIR points to). If you're having persistent issues, try running:
Then restarting your MCP client.
Make sure that the version of Node you have installed is 18 or higher. Claude Desktop will use your system version of Node, even if you have a newer version installed elsewhere.
When modifying claude_desktop_config.json it can helpful to completely restart Claude
You may run into issues if you are behind a VPN, you can try setting the NODE_EXTRA_CA_CERTS environment variable to point to the CA certificate file. If using claude_desktop_config.json, this might look like:
{
"mcpServers": {
"remote-example": {
"command": "npx",
"args": [
"mcp-remote",
"https://remote.mcp.server/sse"
],
"env": {
"NODE_EXTRA_CA_CERTS": "{your CA certificate file path}.pem"
}
}
}
}
tail -n 20 -F ~/Library/Logs/Claude/mcp*.logtail -n 20 -f "C:\Users\YourUsername\AppData\Local\Claude\Logs\mcp.log"Get-Content "C:\Users\YourUsername\AppData\Local\Claude\Logs\mcp.log" -Wait -Tail 20For troubleshooting complex issues, especially with token refreshing or authentication problems, use the --debug flag:
"args": [ "mcp-remote", "https://remote.mcp.server/sse", "--debug" ]
This creates detailed logs in ~/.mcp-auth/{server_hash}_debug.log with timestamps and complete information about every step of the connection and authentication process. When you find issues with token refreshing, laptop sleep/resume issues, or auth problems, provide these logs when seeking support.
If you encounter the following error, returned by the /callback URL:
Authentication Error
Token exchange failed: HTTP 400
You can run rm -rf ~/.mcp-auth to clear any locally stored state and tokens.
Run the following on the command line (not from an MCP server):
npx -p mcp-remote@latest mcp-remote-client https://remote.mcp.server/sse
This will run through the entire authorization flow and attempt to list the tools & resources at the remote URL. Try this after running rm -rf ~/.mcp-auth to see if stale credentials are your problem, otherwise hopefully the issue will be more obvious in these logs than those in your MCP client.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4