Welcome!
", // Option 2: Path to an HTML file (relative to project root) // homePage: "src/home.html", }, }; ``` When `homePage` is not provided, xmcp serves a default landing page with your server name and description. # Telemetry (/docs/configuration/telemetry) ## What we collect (in brief) xmcp tracks anonymous build stats—command, versions, OS, adapter/transport picks, component counts, and coarse success/error signals. No code, prompts, logs, or secrets leave your machine, and every payload stays tied to a random anonymous ID rather than repository data. For the long-form policy, visit [/telemetry](/telemetry). ## Disable telemetry per run Use the environment flag in front of any command, including CI tasks: ```bash XMCP_TELEMETRY_DISABLED=true npx xmcp dev XMCP_TELEMETRY_DISABLED=true npx xmcp build ``` Only the literal string `true` (case-insensitive) disables telemetry, so values like `false` or `0` keep it enabled. ## Opt out globally * **Shell/CI env:** Export `XMCP_TELEMETRY_DISABLED=true` in your shell profile, `.env`, or CI secrets to stop telemetry everywhere. * **Config file:** Delete the generated `telemetry.json` (location printed in debug logs) after setting the env flag if you want to purge the existing anonymous ID. Removing the file while the env variable is set keeps telemetry off and regenerates a fresh opt-in prompt whenever you re-enable it. When disabled, xmcp skips generating anonymous IDs, avoids writing telemetry event files, and no build metadata leaves the machine. ## Inspecting payloads If you want to audit what would be sent without disabling telemetry, set `XMCP_DEBUG_TELEMETRY=true`. This mirrors each payload to `stderr` with the `[telemetry]` prefix while still sending events. # Transports (/docs/configuration/transports) ## HTTP transport The `http` configuration customizes the HTTP server. Set it to `true` to use defaults, or provide an object to override specific options: ```typescript title="xmcp.config.ts" const config: XmcpConfig = { http: { port: 3001, host: "127.0.0.1", endpoint: "/mcp", bodySizeLimit: 10485760, // 10MB debug: false, // adds extra logging to the console }, }; export default config; ``` These are the default values. Override only what you need to customize. ### CORS CORS (Cross-Origin Resource Sharing) middleware that can be configured to control cross-origin requests. ```typescript title="xmcp.config.ts" const config: XmcpConfig = { http: { cors: { origin: "*", methods: ["GET", "POST"], allowedHeaders: [ "Content-Type", "Authorization", "mcp-session-id", "mcp-protocol-version", "x-mcp-client-name", "x-mcp-client-version", "x-mcp-client-title", "x-mcp-client-website-url", "x-mcp-client-description", ], exposedHeaders: ["Content-Type", "Authorization", "mcp-session-id"], credentials: false, maxAge: 86400, }, }, }; export default config; ``` ## STDIO transport The `stdio` configuration customizes the STDIO transport. Set it to `true` to use defaults, or provide an object to override specific options: By default you enable STDIO transport by setting it to `true`. ```typescript title="xmcp.config.ts" const config: XmcpConfig = { stdio: true, }; ``` You can also customize the debug mode and this would enable it as well. ```typescript title="xmcp.config.ts" const config: XmcpConfig = { stdio: { debug: false, // adds extra logging to the console }, }; ``` ### Silent mode When using STDIO transport, any `console.log`, `console.debug`, `console.info`, `console.warn`, or `console.error` calls in your tool handlers will write to stdout, which interferes with the MCP protocol. Enable `silent` to automatically redirect all console output to stderr instead: ```typescript title="xmcp.config.ts" const config: XmcpConfig = { stdio: { silent: true, }, }; ``` This is useful when your tools or dependencies contain debug logs that would otherwise corrupt the MCP communication. The logs are not lost, they are still visible in stderr. ## Troubleshooting Keep in mind that clients like Claude Desktop are not compatible with STDIO logging and would cause a JSON parsing error. You can use the `silent` option to redirect console output to stderr and avoid this issue. # CSS (/docs/core-concepts/css) If you're using [MCP Apps](/docs/core-concepts/tools#mcp-apps-metadata), xmcp provides your application multiple ways to use CSS: * [Tailwind CSS](#tailwind-css) * [CSS](#css) * [CSS Modules](#css-modules)Hello, world!
Hello, world!
Hello, world!
Sales Data
Todo List
setInput(e.target.value)} placeholder="Add a todo..." />-
{todos.map((todo, idx) => (
- {todo} ))}
### Discovery
When an MCP client first connects to an authenticated server, it needs to discover where and how to authenticate. This happens through a two-step process: first finding the authorization server, then retrieving its configuration.
#### Resource Discovery
The client starts by fetching the Protected Resource Metadata from `/.well-known/oauth-protected-resource`. This document tells the client which authorization server handles authentication for this MCP server.
#### Authorization Server Discovery
Next, the client retrieves the authorization server's configuration. For a server at `https://auth.example.com/tenant1`, the client tries these endpoints in order:
1. `https://auth.example.com/.well-known/oauth-authorization-server/tenant1`
2. `https://auth.example.com/.well-known/openid-configuration/tenant1`
3. `https://auth.example.com/tenant1/.well-known/openid-configuration`
For servers without a path component (like `https://auth.example.com`), the client tries:
1. `https://auth.example.com/.well-known/oauth-authorization-server`
2. `https://auth.example.com/.well-known/openid-configuration`
The authorization server metadata includes the `authorization_endpoint` where users sign in and the `token_endpoint` where clients exchange authorization codes for access tokens.
### Client registration
Before a client can authenticate users, it needs to identify itself to the authorization server. MCP supports three approaches:
**Client ID Metadata Documents** are the recommended approach. Clients host a JSON document at an HTTPS URL that describes their identity, name, and allowed redirect URIs. The URL itself becomes the client ID, eliminating the need for pre-registration.
A Client ID Metadata Document looks like this:
```json
{
"client_id": "https://app.example.com/oauth/client-metadata.json",
"client_name": "My MCP Client",
"client_uri": "https://app.example.com",
"redirect_uris": [
"http://127.0.0.1:3000/callback",
"http://localhost:3000/callback"
],
"grant_types": ["authorization_code"],
"response_types": ["code"],
"token_endpoint_auth_method": "none"
}
```
The URL where this document is hosted becomes the client ID. Authorization servers that support this approach advertise `client_id_metadata_document_supported: true` in their metadata.
**Dynamic Client Registration** allows clients to register automatically by making a request to the authorization server. This creates a unique client ID for each installation.
### User authentication
Once the client knows where to authenticate, it redirects the user to the authorization server's login page. The user signs in with their credentials and grants the client permission to access the MCP server on their behalf.
PKCE protects this flow by generating a unique code verifier for each authentication attempt. The client sends a hashed version of this verifier with the authorization request and proves possession of the original when exchanging the authorization code for tokens. This ensures authorization codes remain secure even if intercepted.
### Token-based access
After successful authentication, the client receives an access token. This token is included in every request to the MCP server via the `Authorization: Bearer` header. The server validates the token and extracts user information to authorize the request.
Tokens are bound to the specific MCP server using the `resource` parameter during authentication. This ensures tokens issued for one server remain valid only for that server, protecting against token confusion attacks.
### Resource indicators
MCP clients must include the `resource` parameter [(RFC 8707)](https://datatracker.ietf.org/doc/html/rfc8707) in authorization and token requests. This parameter identifies the specific MCP server the token is intended for:
```
&resource=https%3A%2F%2Fmcp.example.com
```
The resource parameter provides critical security benefits:
* **Audience binding**: Tokens are bound to a specific MCP server and are valid only for the intended server
* **Token confusion prevention**: Ensures tokens issued for one server remain valid only for that server
* **Server validation**: MCP servers must validate that tokens were specifically issued for them
When making authorization requests, clients include the MCP server's canonical URI as the resource parameter. The authorization server embeds this in the token, and the MCP server validates it before processing requests.
### Scopes
Scopes define what an access token is allowed to do. They act as permissions that limit the capabilities of a token, even for an authenticated user.
When a client initiates authentication, it requests specific scopes like `read`, `write`, or `admin`. The authorization server includes the granted scopes in the access token. Your MCP server can then check these scopes before allowing certain operations.
Scopes are particularly useful when:
* Different clients need different permission levels
* You want to limit what third-party integrations can do
* Users should be able to grant partial access to their account
The MCP server advertises its supported scopes in the protected resource metadata, and clients can request specific scopes during the authorization flow.
For example, a token with only the `read` scope could access tools that fetch data but would require additional scopes to use tools that modify data. This provides fine-grained access control beyond simple authentication.
When initiating authentication, clients determine which scopes to request using this priority order:
1. Use the `scope` parameter from the `WWW-Authenticate` header if the server provided one
2. Request all scopes listed in `scopes_supported` from the Protected Resource Metadata
3. Omit the scope parameter entirely if `scopes_supported` is not defined
This strategy ensures clients request appropriate permissions based on what the server advertises.
## References
* [MCP Specification - Authorization](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization)
* [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13)
* [RFC 8707 - Resource Indicators](https://datatracker.ietf.org/doc/html/rfc8707)
* [RFC 8414 - Authorization Server Metadata](https://datatracker.ietf.org/doc/html/rfc8414)
* [RFC 9728 - Protected Resource Metadata](https://datatracker.ietf.org/doc/html/rfc9728)
# Monetization (/docs/guides/monetization)
## Overview
MCP servers can monetize tools through payment verification. xmcp supports two approaches: license key validation where tools check credentials before returning results, and crypto payments where the transport layer blocks execution until payment is verified.
## Quickstart
xmcp provides monetization plugins that handle payment verification and access control for your tools.
- [Polar](/docs/integrations/polar) — License keys
- [x402](/docs/integrations/x402) — USDC on Base
## When do you need monetization?
Not every MCP server needs monetization. The decision depends on how your tools are deployed and what value they provide.
**Monetize your tools when** they provide significant value that justifies payment. This includes tools that access proprietary data, perform expensive computations, call paid external APIs, or provide unique capabilities users are willing to pay for.
**Monetization may not be necessary** for simple utilities, internal tools, or when your business model relies on other revenue streams like consulting or support contracts.
## Human vs agent monetization
The two monetization approaches serve fundamentally different use cases based on who initiates payment.
**Human-based monetization** with [Polar](/docs/integrations/polar) requires a person to purchase a license key and configure it in their MCP client. The human decides to pay upfront through a checkout flow, subscription, or credit purchase. The agent then uses that credential for subsequent requests. This model works well for SaaS-style billing where users manage their own subscriptions.
**Agent-based monetization** with [x402](/docs/integrations/x402) enables agents to pay autonomously. When an agent encounters a paid tool, it can sign a crypto payment from its wallet without human intervention. The agent receives payment requirements, authorizes the transaction, and continues. This enables true agent-to-agent commerce where AI agents can purchase services from other AI agents.
### License key validation
With Polar, the client includes a license key in the request headers. The server validates this key against Polar's API, checking that the license is active and within usage limits.
```typescript title="src/tools/premium-tool.ts"
import { PolarProvider } from "@xmcp-dev/polar";
import { headers } from "xmcp/headers";
const polar = PolarProvider.getInstance({
token: process.env.POLAR_TOKEN,
organizationId: process.env.POLAR_ORGANIZATION_ID,
productId: process.env.POLAR_PRODUCT_ID,
});
export default async function premiumTool({ data }) {
const licenseKey = headers()["license-key"];
const response = await polar.validateLicenseKey(licenseKey);
if (!response.valid) {
return response.message;
}
return `Result: ${data}`;
}
```
The validation checks multiple conditions: license status, usage limits, expiration dates, and meter credits. If validation fails, the response includes a checkout URL where users can purchase or renew their license.
#### Usage metering
Polar supports usage-based billing through meter credits. When you pass an event to `validateLicenseKey`, the plugin tracks consumption against the user's credit balance:
```typescript title="src/tools/metered-tool.ts"
const response = await polar.validateLicenseKey(licenseKey, {
name: "api_call",
metadata: { tool_name: "premium-tool", calls: 1 },
});
```
If the user has exhausted their meter credits, validation fails with a message and a checkout URL to purchase more. For more details, check the [Polar integration guide](/docs/integrations/polar).
### Crypto payment flow
With x402, the payment flow follows the [HTTP 402 Payment Required standard](https://www.x402.org/):
1. Client calls a paid tool without payment
2. Server responds with payment requirements (price, wallet, network)
3. Client signs a payment authorization from their wallet
4. Client retries the request with the signed payment in headers
5. Server verifies the payment signature with a facilitator
6. Tool executes and client receives the response
7. Payment settles on-chain
```typescript title="src/middleware.ts"
import { x402Provider } from "@xmcp-dev/x402";
export default x402Provider({
wallet: process.env.X402_WALLET,
defaults: {
price: 0.01,
currency: "USDC",
network: "base",
},
});
```
```typescript title="src/tools/paid-tool.ts"
import { paid } from "@xmcp-dev/x402";
export default paid(
{ price: 0.05 },
async function paidTool({ input }) {
return `Processed: ${input}`;
}
);
```
The `paid()` wrapper marks a tool as requiring payment. Tools without this wrapper remain free. You can set prices per-tool or use the middleware defaults.
#### Payment requirements
When a client calls a paid tool without valid payment, the server returns the payment requirements:
```json
{
"error": "Payment required",
"accepts": [{
"scheme": "exact",
"network": "eip155:8453",
"amount": "50000",
"asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
"payTo": "0x..."
}]
}
```
The client uses this information to construct a signed payment authorization. The `amount` is in atomic units (6 decimals for USDC), so `50000` equals $0.05.
#### Payment context
Inside a paid tool, you can access payment information:
```typescript title="src/tools/paid-tool.ts"
import { paid, payment } from "@xmcp-dev/x402";
export default paid(async function paidTool({ input }) {
const { payer, transactionHash } = payment();
return `Processed for ${payer}`;
});
```
## Pricing considerations
**For subscriptions**, consider what comparable services charge and what value users derive over a billing period. Polar supports multiple tiers, usage limits, and meter-based consumption tracking.
**For pay-per-use**, consider the cost of executing the tool (API calls, compute, etc.) and add a margin. Prices between $0.001 and $0.10 per call are common for micropayments, depending on the tool's complexity and value.
## References
* [Polar Integration](/docs/integrations/polar) - Full setup guide for license keys
* [x402 Integration](/docs/integrations/x402) - Full setup guide for crypto payments
* [x402 Protocol](https://www.x402.org/) - HTTP 402 payment standard
* [Polar Documentation](https://docs.polar.sh/) - License key management
# xmcp MCP server (/docs/guides/xmcp-mcp-server)
## Getting started
### Connect to a client