Gathering detailed insights and metrics for mcp-http-server
Gathering detailed insights and metrics for mcp-http-server
The Open-sourced Multimodal AI Agent Stack connecting Cutting-edge AI Models and Agent Infra.
Installations
npm install mcp-http-serverDeveloper Guide
BETA
Typescript
Yes
Module System
CommonJS, ESM
Node Version
22.15.0
NPM Version
10.9.2
Releases
27
Languages
8
TypeScript
MDX
JavaScript
CSS
Less
HTML
Shell
Dockerfile
TypeScript (92.09%)
MDX (4.09%)
JavaScript (1.63%)
CSS (1.52%)
Less (0.32%)
HTML (0.22%)
Shell (0.06%)
Dockerfile (0.06%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
Apache-2.0 License
15,153 Stars
556 Commits
1,349 Forks
137 Watchers
102 Branches
41 Contributors
Updated on Jul 13, 2025
Maintainers
1
Package Meta Information
Latest Version
1.2.2
Package Id
mcp-http-server@1.2.2
Unpacked Size
41.67 kB
Size
10.60 kB
File Count
11
NPM Version
10.9.2
Node Version
22.15.0
Published on
Jul 09, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
MCP HTTP Server
A high performance HTTP+SSE Server with Request Headers for MCP Server.
Features
- HTTP/SSE Transport: Support for both HTTP POST and Server-Sent Events
- Flexible Routing: Configurable endpoint paths and prefixes
- Request Headers: Access to HTTP headers in MCP server context
- Multiple Transports: Both stateful and stateless modes
- Middleware Support: Custom middleware for authentication, logging, etc.
Install
1npm i mcp-http-server -S
Quick Start
1import { startSseAndStreamableHttpMcpServer } from 'mcp-http-server'; 2import { createServer } from './server.js'; 3 4await startSseAndStreamableHttpMcpServer({ 5 port: 3000, 6 createMcpServer: async (params) => { 7 console.log('Request headers:', params.headers); 8 return createServer(); 9 }, 10});
API Reference
startSseAndStreamableHttpMcpServer(params)
Parameters
| Parameter | Type | Description |
|---|---|---|
port | number | Port to listen on (default: 8080) |
host | string | Host to bind to (default: '::') |
stateless | boolean | Enable stateless mode for streamable HTTP (default: true) |
middlewares | MiddlewareFunction[] | Custom Express middlewares |
routes | RoutesConfig | Custom route configuration |
logger | Logger | Custom logger instance |
createMcpServer | function | Factory function to create MCP server instances |
Route Configuration
The server supports flexible route configuration through the routes parameter.
Default Routes
By default, the server uses the following routes:
1{ 2 prefix: '/', // Route prefix for all endpoints 3 mcp: '/mcp', // MCP endpoint path 4 message: '/message', // Message endpoint path for SSE 5 sse: '/sse' // SSE endpoint path 6}
This creates the following endpoints:
- POST
/mcp- MCP HTTP transport - GET
/mcp- Returns 405 (Method Not Allowed) or SSE stream - GET
/sse- SSE connection endpoint - POST
/message- SSE message endpoint
Custom Routes
You can customize routes using the routes configuration:
1await startSseAndStreamableHttpMcpServer({
2 port: 3000,
3 routes: {
4 prefix: '/api/v1',
5 mcp: '/custom-mcp',
6 message: '/custom-message',
7 sse: '/custom-sse'
8 },
9 createMcpServer: async () => createServer(),
10});This creates endpoints at:
- POST
/api/v1/custom-mcp- MCP HTTP transport - GET
/api/v1/custom-mcp- Returns 405 or SSE stream - GET
/api/v1/custom-sse- SSE connection endpoint - POST
/api/v1/custom-message- SSE message endpoint
Route Configuration Options
routes.prefix
- Type:
string - Default:
'/' - Description: Route prefix for all endpoints
routes.mcp
- Type:
string - Default:
'/mcp' - Description: MCP endpoint path (relative to prefix)
routes.message
- Type:
string - Default:
'/message' - Description: Message endpoint path for SSE (relative to prefix)
routes.sse
- Type:
string - Default:
'/sse' - Description: SSE endpoint path (relative to prefix)
Path Handling
The server automatically handles leading/trailing slashes in paths:
1// These configurations are equivalent: 2routes: { 3 prefix: '/api/v2/', 4 mcp: 'mcp-endpoint', 5 sse: '/sse-endpoint/' 6} 7 8routes: { 9 prefix: '/api/v2', 10 mcp: '/mcp-endpoint', 11 sse: 'sse-endpoint' 12}
Both result in:
/api/v2/mcp-endpoint/api/v2/sse-endpoint/
Usage Examples
Basic HTTP Server
1import { startSseAndStreamableHttpMcpServer } from 'mcp-http-server'; 2import { Server } from '@modelcontextprotocol/sdk/server/index.js'; 3 4const server = await startSseAndStreamableHttpMcpServer({ 5 port: 3000, 6 createMcpServer: async () => { 7 return new Server( 8 { name: 'my-server', version: '1.0.0' }, 9 { capabilities: { tools: {} } } 10 ); 11 }, 12}); 13 14console.log(`Server running at ${server.url}`);
With Custom Routes and Middleware
1import { startSseAndStreamableHttpMcpServer } from 'mcp-http-server'; 2 3const authMiddleware = (req, res, next) => { 4 const token = req.headers.authorization; 5 if (!token) { 6 return res.status(401).json({ error: 'Unauthorized' }); 7 } 8 next(); 9}; 10 11await startSseAndStreamableHttpMcpServer({ 12 port: 3000, 13 host: 'localhost', 14 routes: { 15 prefix: '/api/v1', 16 mcp: '/mcp', 17 sse: '/events' 18 }, 19 middlewares: [authMiddleware], 20 createMcpServer: async (context) => { 21 console.log('User agent:', context.headers['user-agent']); 22 return createServer(); 23 }, 24});
Command Line Interface
1import { program } from 'commander'; 2import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js'; 3 4program 5 .name('mcp-server') 6 .description('MCP server with HTTP and stdio support') 7 .version('1.0.0') 8 .option('--host <host>', 'host to bind server to') 9 .option('--port <port>', 'port to listen on for HTTP transport') 10 .option('--prefix <prefix>', 'route prefix for HTTP endpoints', '/api') 11 .action(async (options) => { 12 try { 13 if (options.port || options.host) { 14 // HTTP/SSE transport 15 await startSseAndStreamableHttpMcpServer({ 16 host: options.host, 17 port: options.port ? parseInt(options.port) : undefined, 18 routes: { 19 prefix: options.prefix, 20 }, 21 createMcpServer: async (params) => { 22 console.log('HTTP request from:', params.headers['user-agent']); 23 return createServer(); 24 }, 25 }); 26 } else { 27 // Stdio transport 28 const server = createServer(); 29 const transport = new StdioServerTransport(); 30 await server.connect(transport); 31 console.debug('MCP Server running on stdio'); 32 } 33 } catch (error) { 34 console.error('Error:', error); 35 process.exit(1); 36 } 37 }); 38 39program.parse();
Transport Modes
Stateful Mode (Default: Stateless)
1await startSseAndStreamableHttpMcpServer({
2 stateless: false, // Enable stateful mode
3 createMcpServer: async () => createServer(),
4});In stateful mode:
- Each client gets a unique session ID
- Sessions are maintained across requests
- Requires proper session cleanup
Stateless Mode (Recommended)
1await startSseAndStreamableHttpMcpServer({
2 stateless: true, // Default
3 createMcpServer: async () => createServer(),
4});In stateless mode:
- No session state maintained
- Each request is independent
- Better for scaling and reliability
Return Value
startSseAndStreamableHttpMcpServer returns a McpServerEndpoint object:
1interface McpServerEndpoint { 2 url: string; // Full URL to MCP endpoint 3 sseUrl: string; // Full URL to SSE endpoint 4 port: number; // Server port 5 close: () => void; // Function to close server 6}
Example:
1const endpoint = await startSseAndStreamableHttpMcpServer({ 2 port: 3000, 3 routes: { prefix: '/api' }, 4 createMcpServer: async () => createServer(), 5}); 6 7console.log('MCP endpoint:', endpoint.url); // http://localhost:3000/api/mcp 8console.log('SSE endpoint:', endpoint.sseUrl); // http://localhost:3000/api/sse 9 10// Gracefully shutdown 11process.on('SIGTERM', () => { 12 endpoint.close(); 13});
License
MIT
No vulnerabilities found.
Reason
30 commit(s) and 24 issue activity found in the last 90 days -- score normalized to 10
Reason
security policy file detected
Details
- Info: security policy file detected: SECURITY.md:1
- Info: Found linked content: SECURITY.md:1
- Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1
- Info: Found text in security policy: SECURITY.md:1
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0
Reason
project has 15 contributing companies or organizations
Details
- Info: found contributions from: ServiceComb, alc-beijing, apache, apachecn, bat, bytedance, fusesource, ops4j, r3kapig, react-component, rich-lab, rust-modules, vuejs, vuepress, web-infra-dev
Reason
SAST tool is not run on all commits -- score normalized to 9
Details
- Warn: 28 commits out of 29 are checked with a SAST tool
Reason
28 out of 29 merged PRs checked by a CI test -- score normalized to 9
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/bytedance/UI-TARS-desktop/test.yml/main?enable=pin
- Warn: containerImage not pinned by hash: packages/agent-infra/mcp-servers/filesystem/Dockerfile:1
- Warn: containerImage not pinned by hash: packages/agent-infra/mcp-servers/filesystem/Dockerfile:13
- Warn: npmCommand not pinned by hash: packages/agent-infra/mcp-servers/browser/Dockerfile:33
- Warn: npmCommand not pinned by hash: packages/agent-infra/mcp-servers/browser/Dockerfile:42
- Warn: npmCommand not pinned by hash: packages/agent-infra/mcp-servers/browser/Dockerfile.http:33
- Warn: npmCommand not pinned by hash: packages/agent-infra/mcp-servers/browser/Dockerfile.http:42
- Warn: npmCommand not pinned by hash: packages/agent-infra/mcp-servers/filesystem/Dockerfile:8
- Warn: npmCommand not pinned by hash: .github/workflows/agent_tars_test.yml:33
- Warn: npmCommand not pinned by hash: .github/workflows/benchmark.yml:42
- Warn: pipCommand not pinned by hash: .github/workflows/benchmark.yml:50
- Warn: pipCommand not pinned by hash: .github/workflows/benchmark.yml:51
- Warn: npmCommand not pinned by hash: .github/workflows/e2e-ui-tars.yml:49
- Warn: npmCommand not pinned by hash: .github/workflows/e2e-ui-tars.yml:59
- Warn: npmCommand not pinned by hash: .github/workflows/release-ui-tars.yml:29
- Warn: npmCommand not pinned by hash: .github/workflows/release-ui-tars.yml:37
- Warn: npmCommand not pinned by hash: .github/workflows/release-ui-tars.yml:95
- Warn: npmCommand not pinned by hash: .github/workflows/release-ui-tars.yml:103
- Warn: npmCommand not pinned by hash: .github/workflows/release-ui-tars.yml:164
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:46
- Info: 25 out of 25 GitHub-owned GitHubAction dependencies pinned
- Info: 4 out of 5 third-party GitHubAction dependencies pinned
- Info: 2 out of 4 containerImage dependencies pinned
- Info: 2 out of 17 npmCommand dependencies pinned
- Info: 0 out of 2 pipCommand dependencies pinned
Reason
Found 6/30 approved changesets -- score normalized to 2
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/agent_tars_test.yml:12
- Info: topLevel 'attestations' permission set to 'read': .github/workflows/agent_tars_test.yml:13
- Info: topLevel 'contents' permission set to 'read': .github/workflows/benchmark.yml:12
- Info: topLevel 'attestations' permission set to 'read': .github/workflows/benchmark.yml:13
- Info: topLevel 'contents' permission set to 'read': .github/workflows/e2e-ui-tars.yml:25
- Info: topLevel 'attestations' permission set to 'read': .github/workflows/e2e-ui-tars.yml:26
- Warn: topLevel 'contents' permission set to 'write': .github/workflows/release-ui-tars.yml:15
- Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18
- Info: topLevel 'contents' permission set to 'read': .github/workflows/secret-scan.yml:9
- Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:16
- Info: topLevel 'attestations' permission set to 'read': .github/workflows/test.yml:17
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
no update tool detected
Details
- Warn: no dependency update tool configurations found
Reason
Project has not signed or included provenance with any releases.
Details
- Warn: release artifact v0.2.2 not signed: https://api.github.com/repos/bytedance/UI-TARS-desktop/releases/231069571
- Warn: release artifact Agent-TARS-v1.0.0-alpha.10 not signed: https://api.github.com/repos/bytedance/UI-TARS-desktop/releases/228558556
- Warn: release artifact v0.2.1 not signed: https://api.github.com/repos/bytedance/UI-TARS-desktop/releases/227532804
- Warn: release artifact v0.2.0 not signed: https://api.github.com/repos/bytedance/UI-TARS-desktop/releases/221573505
- Warn: release artifact v0.2.2 does not have provenance: https://api.github.com/repos/bytedance/UI-TARS-desktop/releases/231069571
- Warn: release artifact Agent-TARS-v1.0.0-alpha.10 does not have provenance: https://api.github.com/repos/bytedance/UI-TARS-desktop/releases/228558556
- Warn: release artifact v0.2.1 does not have provenance: https://api.github.com/repos/bytedance/UI-TARS-desktop/releases/227532804
- Warn: release artifact v0.2.0 does not have provenance: https://api.github.com/repos/bytedance/UI-TARS-desktop/releases/221573505
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
37 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-67rr-84xm-4c7r
- Warn: Project is vulnerable to: GHSA-3h52-269p-cp9r
- Warn: Project is vulnerable to: GHSA-f82v-jwr5-mffw
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-vhxf-7vqr-mrjg
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg
- Warn: Project is vulnerable to: GHSA-44c6-4v22-4mhx
- Warn: Project is vulnerable to: GHSA-4x5v-gmq8-25ch
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-84jw-g43v-8gjm
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99
- Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh
- Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-h7cp-r72f-jxh6
- Warn: Project is vulnerable to: GHSA-v62p-rq8g-8h59
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-g3ch-rx76-35fx
- Warn: Project is vulnerable to: GHSA-3p6v-hrg8-8qj7
- Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q
- Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38
- Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-cpj6-fhp6-mr6j
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3
- Warn: Project is vulnerable to: GHSA-x574-m823-4x7w
- Warn: Project is vulnerable to: GHSA-4r4m-qw57-chr8
- Warn: Project is vulnerable to: GHSA-xcj6-pq6g-qj4x
- Warn: Project is vulnerable to: GHSA-356w-63v5-8wf4
- Warn: Project is vulnerable to: GHSA-859w-5945-r5v3
Score
4.8
/10
Last Scanned on 2025-07-12T18:31:21Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More