Skip to main content
All configuration is read from environment variables or Wrangler bindings at startup. There are no config files to edit — set the variables below for your runtime and the server picks them up automatically.

Core variables

TOKENS
KV namespace binding
required
Cloudflare KV namespace binding used for token and session storage. This is a Wrangler binding, not a plain string.See Binding the KV namespace below for setup instructions.
RS_TOKENS_ENC_KEY
string
required
Base64url-encoded 32-byte key used to encrypt tokens at rest with AES-256-GCM. Generate one before deploying.
# OpenSSL
openssl rand -base64 32 | tr '+/' '-_' | tr -d '='

# Node.js
node -e "const {randomBytes}=require('crypto'); console.log(randomBytes(32).toString('base64url'))"

Auth variable

AUTH_STRATEGY
string
The authentication strategy to use. Accepted values: oauth, bearer, api_key, custom, none.If you omit this variable, the server infers it automatically based on which other variables are present:
ConditionInferred strategy
AUTH_ENABLED=trueoauth
API_KEY is setapi_key
BEARER_TOKEN is setbearer
None of the abovenone
Set it explicitly when you want to override inference or be explicit in your config.

OAuth-specific variables

These variables are required when AUTH_STRATEGY=oauth.
OAUTH_CLIENT_ID
string
OAuth client ID registered with your authorization server.
OAUTH_CLIENT_SECRET
string
OAuth client secret. Store this as a Wrangler secret, never in plain text.
OAUTH_SCOPES
string
Space-separated list of OAuth scopes to request (e.g., openid profile email).
OAUTH_REDIRECT_URI
string
default:"http://localhost:3000/callback"
Redirect URI registered with your OAuth provider. Must use HTTPS in production.
Using an HTTP redirect URI in production transmits OAuth tokens insecurely. Always use HTTPS for deployed servers.
OAUTH_AUTHORIZATION_URL
string
Authorization endpoint URL of your OAuth provider (e.g., https://accounts.google.com/o/oauth2/v2/auth).
OAUTH_TOKEN_URL
string
Token endpoint URL of your OAuth provider (e.g., https://oauth2.googleapis.com/token).
OAUTH_REVOCATION_URL
string
Token revocation endpoint URL. Used when clients call /revoke.
OAUTH_REDIRECT_ALLOWLIST
string
Comma-separated list of allowed redirect URIs for dynamic client registration. Restricts which redirect URIs clients may register.
OAUTH_REDIRECT_ALLOW_ALL
boolean
default:"false"
When true, any redirect URI is accepted. Never enable this in production — it introduces an open redirect vulnerability.
Setting OAUTH_REDIRECT_ALLOW_ALL=true in a production environment is a security risk. The server logs a warning if it detects this combination.
OAUTH_EXTRA_AUTH_PARAMS
string
Extra query parameters to append to the authorization URL, in key=value&key2=value2 format. Useful for provider-specific requirements (e.g., access_type=offline&prompt=consent for Google).
PROVIDER_CLIENT_ID
string
Client ID for the upstream provider (the service your MCP server proxies, e.g., a Google API client ID). Separate from OAUTH_CLIENT_ID, which is your MCP server’s own OAuth identity.
PROVIDER_CLIENT_SECRET
string
Client secret for the upstream provider.
PROVIDER_API_URL
string
Base URL for the upstream provider’s API.
PROVIDER_ACCOUNTS_URL
string
Accounts or user-info endpoint for the upstream provider (e.g., https://www.googleapis.com/oauth2/v1/userinfo).

Bearer token variables

BEARER_TOKEN
string
Static bearer token value. Required when AUTH_STRATEGY=bearer. The server injects this as Authorization: Bearer <value> on every tool call.

API key variables

API_KEY
string
Static API key value. Required when AUTH_STRATEGY=api_key.
API_KEY_HEADER
string
default:"x-api-key"
Name of the request header used to pass the API key (e.g., x-api-key, X-Custom-Key).

Custom headers variable

CUSTOM_HEADERS
string
Arbitrary request headers to inject, in Header-Name:value,Header-Name2:value2 format. Required when AUTH_STRATEGY=custom.
CUSTOM_HEADERS=X-Workspace-Id:ws_abc123,X-Tenant:acme

Other variables

BASE_URL
string
Override for the server’s public base URL. Set this when your server runs behind a reverse proxy that terminates TLS, so OAuth redirects and discovery documents use the correct external URL (e.g., https://my-mcp.example.com).
LOG_LEVEL
string
default:"info"
Minimum log level to emit. Accepted values: debug, info, warning, error.
HOST
string
default:"127.0.0.1"
Host address for the Node.js server to bind to.
PORT
number
default:"3000"
Port for the Node.js server to listen on.
RPS_LIMIT
number
default:"10"
Maximum requests per second allowed per client before rate limiting kicks in.
CONCURRENCY_LIMIT
number
default:"5"
Maximum number of concurrent in-flight requests per client.

Setting variables by runtime

Use Wrangler secrets for sensitive values and .dev.vars for local development.Production — add secrets:
wrangler secret put RS_TOKENS_ENC_KEY
wrangler secret put OAUTH_CLIENT_SECRET
wrangler secret put BEARER_TOKEN
Local development — .dev.vars:
.dev.vars
RS_TOKENS_ENC_KEY=<your-generated-key>
AUTH_STRATEGY=bearer
BEARER_TOKEN=my-local-token
LOG_LEVEL=debug
.dev.vars is the Wrangler equivalent of .env. Add it to .gitignore — it holds secrets.

Binding the KV namespace

TOKENS is a Cloudflare KV namespace, not a plain environment variable. You bind it in your Wrangler config.
1

Create the namespace

wrangler kv namespace create TOKENS
Copy the namespace ID printed in the output.
2

Add the binding to wrangler.toml

wrangler.toml
[[kv_namespaces]]
binding = "TOKENS"
id = "<your-kv-namespace-id>"
Or in wrangler.jsonc:
wrangler.jsonc
{
  "kv_namespaces": [
    {
      "binding": "TOKENS",
      "id": "<your-kv-namespace-id>"
    }
  ]
}
The KV namespace binding is only needed for Cloudflare Workers deployments. The Node.js adapter uses in-memory storage by default.