The MCP Guide
Build a server

Deploying a remote MCP server

Moving a server from local to remote turns it into a shared network service. The protocol work is small; the operational work is standard web-service hygiene.

Serve Streamable HTTP over TLS #

Expose the server on an HTTPS endpoint using the Streamable HTTP transport. The SDKs provide the transport; you provide the hosting, TLS, and a public URL that clients put in their config.

Authorize with OAuth 2.1 #

A remote server must authenticate callers. MCP's authorization builds on OAuth 2.1: the client completes an OAuth flow, receives a scoped access token, and sends it on each request; the server validates it. Scope tokens to the minimum and support revocation.

Operate it like a service #

  • Rate limit and time out downstream calls so one client cannot exhaust the server.
  • Log tool calls and outcomes for audit and debugging.
  • Version carefully; capability negotiation lets you add features without breaking older clients.

As a final step before you expose the server, run the agents that will call it end to end in staging against replicas of its downstream services, so integration failures show up there rather than in front of the first real user.

Resources & further reading

  • OAuth 2.1 oauth.netThe authorization framework remote MCP servers use to authenticate clients.
  • MCP specification MCPThe authoritative protocol spec: messages, capabilities, transports, and lifecycle.