README
¶
MCP Advanced Example
Advanced example demonstrating authentication, rate limiting, custom resources, and custom prompts.
Features
- 🔐 Token-based authentication
- ⏱️ Rate limiting (60 requests/minute)
- 📦 Custom resources with readers
- 💬 Custom prompts with generators
- 🎯 Pattern-based filtering (only
/api/*routes)
Running
cd v2/examples/mcp-advanced
go run main.go
Authentication
All MCP endpoints require the X-API-Key header:
curl -H "X-API-Key: dev-secret-key-123" http://localhost:8080/_/mcp/tools
Valid keys:
dev-secret-key-123(development)prod-secret-key-456(production)
Without auth:
curl http://localhost:8080/_/mcp/tools
# Returns: 401 Unauthorized
Rate Limiting
Limited to 60 requests per minute per client.
Test the limit:
# This will hit the rate limit
for i in {1..70}; do
curl -H "X-API-Key: dev-secret-key-123" http://localhost:8080/_/mcp/tools
done
After 60 requests, you'll get:
429 Too Many Requests
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 60
Custom Resources
List resources
curl -H "X-API-Key: dev-secret-key-123" \
http://localhost:8080/_/mcp/resources | jq
Read a resource
curl -X POST http://localhost:8080/_/mcp/resources/read \
-H "X-API-Key: dev-secret-key-123" \
-H "Content-Type: application/json" \
-d '{
"uri": "config://app-settings"
}' | jq
This uses the custom resource reader to fetch application settings.
Custom Prompts
List prompts
curl -H "X-API-Key: dev-secret-key-123" \
http://localhost:8080/_/mcp/prompts | jq
Get a prompt
curl -X POST http://localhost:8080/_/mcp/prompts/api-documentation \
-H "X-API-Key: dev-secret-key-123" \
-H "Content-Type: application/json" \
-d '{
"name": "api-documentation",
"arguments": {
"format": "markdown"
}
}' | jq
This uses the custom prompt generator to create API documentation.
Available Tools
Since we use WithIncludePatterns([]string{"/api/*"}), only /api/* routes are exposed:
api_get_api_status→GET /api/statusapi_get_api_metrics→GET /api/metrics
Call a tool
curl -X POST http://localhost:8080/_/mcp/tools/api_get_api_status \
-H "X-API-Key: dev-secret-key-123" \
-H "Content-Type: application/json" \
-d '{
"name": "api_get_api_status",
"arguments": {}
}' | jq
Server Info
Get MCP server capabilities:
curl -H "X-API-Key: dev-secret-key-123" \
http://localhost:8080/_/mcp/info | jq
Response shows enabled capabilities:
- Tools: ✓
- Resources: ✓ (custom reader registered)
- Prompts: ✓ (custom generator registered)
Key Concepts
Authentication Flow
- Client sends request with
X-API-Keyheader AuthMiddlewarevalidates token againstconfig.AuthTokens- If valid, request proceeds; if not, returns 401
Rate Limiting Flow
RateLimitertracks requests per client (by token or IP)- Maintains a sliding window (1 minute)
- When limit exceeded, returns 429 with
Retry-Afterheader - Response includes rate limit headers on all requests
Custom Resources
- Register resource with URI, name, description
- Register custom reader function for that URI
- Reader is called when resource is read via MCP
- Returns content (text, JSON, etc.)
Custom Prompts
- Register prompt with name, description, arguments
- Register custom generator function for that prompt
- Generator is called with prompt arguments
- Returns messages (user/assistant role)
Production Considerations
- Secrets Management: Don't hardcode tokens, use environment variables
- Rate Limits: Adjust based on your API capacity
- Monitoring: Track
mcp_tool_calls_totalandmcp_rate_limit_exceeded_totalmetrics - Logging: Monitor failed auth attempts
- HTTPS: Always use TLS in production
Code Structure
// Security features
mcp.WithAuth("X-API-Key", []string{"token1", "token2"}),
mcp.WithRateLimit(60),
// Feature flags
mcp.WithResources(true),
mcp.WithPrompts(true),
// Pattern matching
mcp.WithIncludePatterns([]string{"/api/*"}),
// Custom handlers
server.RegisterResourceReader("config://app-settings", readerFunc)
server.RegisterPromptGenerator("api-documentation", generatorFunc)
Documentation
¶
There is no documentation for this package.
Source Files
Click to show internal directories.
Click to hide internal directories.