extra Host header values to accept
extra Origin header values to accept
OAuth 2.1 Resource Server enforcement (basic/authorization). When auth.validator is set, every MCP request must present a valid Authorization: Bearer token: the transport validates it (and its RFC 8707 audience), returns 401 with a WWW-Authenticate: Bearer header carrying the resource_metadata URL on failure, returns 403 insufficient_scope when a required scope is missing, and serves the RFC 9728 Protected Resource Metadata document at /.well-known/oauth-protected-resource. Validated token info is surfaced to handlers via RequestContext.auth. When unset (the default) the transport performs no token checks.
addresses to bind
Opt-in backwards compatibility with the deprecated 2024-11-05 HTTP+SSE two-endpoint transport (basic/transports §HTTP with SSE; and the 2025-06-18 / 2025-11-25 / draft §Backwards Compatibility guidance: "Servers wanting to support older clients should: Continue to host both the SSE and POST endpoints of the old transport, alongside the new MCP endpoint"). This is a SHOULD, so it is off by default. When enabled, mountMcp ALSO mounts the two legacy endpoints alongside the modern MCP endpoint: - GET legacySsePath: opens a text/event-stream, immediately emits an endpoint event whose data is legacyMessagePath (the URI the client must POST to), then holds the stream open delivering server messages as SSE message events; - POST legacyMessagePath: accepts a single JSON-RPC message, processes it, replies 202 Accepted with no body, and pushes any JSON-RPC response back onto the open GET stream as a message event. A 2024-11-05-only client can then negotiate the legacy transport against a D MCP server. The modern Streamable HTTP endpoint is unchanged.
legacy POST message endpoint path
legacy GET SSE endpoint path
the single MCP endpoint path
Reconnect-delay hint (milliseconds) for the standalone server->client SSE stream on the 2025-11-25 revision. When non-zero, the GET stream emits a standard SSE retry: event right after opening, so that if the server later closes the connection without terminating the stream (e.g. to avoid holding a long-lived socket), the client already knows how long to wait before reconnecting (basic/transports §Sending Messages item 6 / §Listening for Messages item 4: "it SHOULD send an SSE event with a standard retry field before closing the connection. The client MUST respect the retry field"). This is a 2025-11-25-only SHOULD: it is built on the connection/stream split and Last-Event-ID reconnect that only that revision defines, so it never alters 2025-06-18 / 2025-03-26 / 2024-11-05 or draft wire output. When zero (the default) no retry: hint is sent.
DNS-rebinding protection: reject requests whose Host/Origin is not a recognized localhost value (or in the explicit allow-lists below). On by default per the MCP transport security guidance; disable when fronting the server with a trusted reverse proxy.
Configuration for the Streamable HTTP server transport.