This example demonstrates how to run the GitHub MCP Server in HTTP mode behind Pomerium, forwarding GitHub OAuth tokens to the server on each request.
- Start the server in HTTP mode:
github-mcp-http http \
--listen :8080 \
--http-path /mcp \
--health-path /health- Configure Pomerium to authenticate users with GitHub and pass the resulting access token to the upstream via the
Authorizationheader. A simplified route looks like:
routes:
- from: https://mcp.example.com
to: http://github-mcp-http:8080
preserve_host_header: true
enable_google_cloud_serverless_authentication: false
pass_identity_headers: true
# Forward OAuth tokens from GitHub to the MCP server
set_request_headers:
Authorization: "Bearer {{ .Pomerium.JWT.OAuth.AccessToken }}"
upstream_oauth2:
client_id: ${GITHUB_OAUTH_CLIENT_ID}
client_secret: ${GITHUB_OAUTH_CLIENT_SECRET}
scopes:
- read:user
- user:email
- repo
- read:org
endpoint:
auth_url: https://github.com/login/oauth/authorize
token_url: https://github.com/login/oauth/access_token- Point your MCP host at
https://mcp.example.com/mcpand omit the staticGITHUB_PERSONAL_ACCESS_TOKEN. Each request will be authenticated with the user’s GitHub OAuth token issued by Pomerium.
Refer to Pomerium's MCP documentation for deployment details and advanced routing options.
services:
pomerium:
image: pomerium/pomerium:main
pull_policy: always
ports:
- "443:443"
restart: always
environment:
POMERIUM_ZERO_TOKEN: ${POMERIUM_ZERO_TOKEN}
XDG_CACHE_HOME: /var/cache
volumes:
- pomerium-cache:/var/cache
networks:
- main
healthcheck:
test: ["CMD-SHELL", "curl -kfsS https://127.0.0.1:443/ || exit 1"]
interval: 15s
timeout: 5s
retries: 5
start_period: 30s
github-mcp:
build:
context: https://github.com/nickytonline/github-mcp-http.git
dockerfile: Dockerfile
pull_policy: always
container_name: github-mcp
restart: unless-stopped
networks:
- main
networks:
main:
volumes:
pomerium-cache: