logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

Core Authorization & Identity Relay (CAIR)

Establishes secure identity verification and delegation for MCP services using OAuth 2.0 flows, enabling the system to invoke protected backend APIs under the verified user's authority. Streamlines credential management by integrating with identity providers like Auth0 and leverages Cloudflare Workers for edge-based access control.

Author

Core Authorization & Identity Relay (CAIR) logo

pratham-svg

No License

Quick Info

GitHub GitHub Stars 0
NPM Weekly Downloads 0
Tools 1
Last Updated 2026-02-19

Actions

GitHub View on GitHub

Tags

oauthauth0authenticationmcp oauthauthorization mcpauth0 cloudflare

Model Context Protocol (MCP) Service Endpoint

This service node, functioning as an MCP intermediary, mandates prior user credential validation. Upon successful authentication, it gains delegated authority to execute secure external API invocations on the user's behalf.

Prerequisites & Setup

Dependent Services API

Prior to system activation, the required backend service (e.g., Todos API) must be provisioned and accessible, following instructions found in its documentation here.

Identity Provider Configuration (Auth0)

Within the Auth0 management console, create a new application instance, explicitly defining its type as a "Regular Web Application" within the Applications registry.

During local development setup, configure the following endpoint as the authorized redirect URI:

http://localhost:8788/callback

Persistent Key-Value Store Provisioning

Initialize a dedicated binding within the Workers KV system for secure storage:

  • Provision the namespace: wrangler kv:namespace create "OAUTH_KV"
  • Reflect the resulting ID within your Wrangler configuration file.

Operational Environment Variables

The CAIR Worker requires several sensitive parameters to be defined in its operational scope:

Parameter Rationale for Configuration
AUTH0_DOMAIN The fully qualified hostname of your Auth0 identity tenant (e.g., corp-identities.us.auth0.com)
AUTH0_CLIENT_ID The unique public identifier assigned to the Auth0 application entity
AUTH0_CLIENT_SECRET The confidential credential required for token exchange operations
AUTH0_AUDIENCE The specific URI that uniquely identifies the target backend resource API registered in Auth0 (e.g., urn:backend-service-v1)
AUTH0_SCOPE The granular permissions requested by the client: standard identity claims (openid email profile), token refresh capability (offline_access), and service-specific access (read:todos)
NODE_ENV Environment flag; set to development for iterative local debugging
API_BASE_URL The root address (scheme and host) where the protected backend API resides

Local Iteration Guide

Establish a configuration file named .dev.vars in the project root directory, populated with the following template values:

AUTH0_DOMAIN=yourdomain.us.auth0.com AUTH0_CLIENT_ID=YourAuth0AppClientID AUTH0_CLIENT_SECRET=YourAuth0AppClientSecret AUTH0_AUDIENCE=urn:todos-api AUTH0_SCOPE=openid email profile offline_access read:todos NODE_ENV=development API_BASE_URL=http://localhost:8789

Testing the Relay Service

To initiate the local forwarding service:

npm run dev

Utilize the MCP Inspector utility to establish a connection. Configure its transport mechanism to sse and point its target URL to http://localhost:8788/sse. Upon connection, a sign-in prompt will trigger, enabling subsequent tool invocation after successful authentication.

Production Deployment on Cloudflare Workers

Before pushing the service live, securely inject the following secrets into the Cloudflare Worker environment:

bash wrangler secret put AUTH0_DOMAIN wrangler secret put AUTH0_CLIENT_ID wrangler secret put AUTH0_CLIENT_SECRET wrangler secret put AUTH0_AUDIENCE wrangler secret put AUTH0_SCOPE wrangler secret put API_BASE_URL

With secrets configured, execute the deployment command:

bash npm run deploy

Subsequently, update the Auth0 application configuration by appending the production redirect URI:

https://cair-service..workers.dev/callback

To validate end-to-end functionality, utilize the Cloudflare AI LLM Playground interface (https://playground.ai.cloudflare.com/). Connect to the deployed endpoint using the pattern below:

https://cair-service..workers.dev/sse

This action will prompt an authentication flow, unlocking access to the connected tooling capabilities.

Diagnostic Procedures

If operational anomalies arise during setup or execution, consult the following checkpoints:

Inspect Worker Runtime Logs

Refer to the centralized Cloudflare Logs interface for runtime diagnostics: Cloudflare Workers Logs

Review Identity Provider Activity

  • Access the dedicated Logs section within the Auth0 portal.
  • Scrutinize records pertaining to user login attempts and any reported authorization failures.

Common Resolution Points

  • Authentication failures often stem from mismatches in Auth0 application settings or incorrect secret provisioning.
  • Connectivity problems usually point to an uninitiated Worker deployment or an incorrect public hostname.
  • Ensure every specified redirect URI in Auth0 precisely matches the endpoints used in testing/production.
  • Confirm that API_BASE_URL correctly resolves to the live target API gateway address.

See Also

MCP
Auth0-mcp-gateway Mcp
Man Pages
secret Man Pages
Man Pages
service Man Pages
TLDR
Wrangler - cloudflare workers control Tldr
MCP
Cloudflare-worker-mcp-bridge Mcp
MCP
Client Mcp
Accessible
Accessible PNG Icons
Installerpedia
fosrl/pangolin Installerpedia
MCP
Workers Mcp
← Back to Apis And Http Requests🙏  Credits & Acknowledgments
`