# turbomcp-proxy
> **Universal MCP Adapter/Generator** - Introspection, proxying, and code generation for any MCP server
[](../../PROXY_PROGRESS.md)
[](https://modelcontextprotocol.io)
[](https://www.rust-lang.org)
**turbomcp-proxy** is a universal tool that works with **ANY** MCP server implementation (TurboMCP, Python SDK, TypeScript SDK, custom implementations). It discovers server capabilities via the MCP protocol and dynamically generates adapters for different transports and protocols.
---
## Quick Start
```bash
# Inspect any MCP server
turbomcp-proxy inspect stdio --cmd "python my-server.py"
# Expose STDIO server over HTTP/SSE (development)
turbomcp-proxy serve \
--backend stdio --cmd "python my-server.py" \
--frontend http --bind 127.0.0.1:3000
# Connect to TCP server and expose over HTTP
turbomcp-proxy serve \
--backend tcp --tcp localhost:5000 \
--frontend http --bind 127.0.0.1:3001
# Connect to Unix socket and expose over HTTP
turbomcp-proxy serve \
--backend unix --unix /tmp/mcp.sock \
--frontend http --bind 127.0.0.1:3002
# Expose with JWT authentication (production - symmetric)
turbomcp-proxy serve \
--backend stdio --cmd "python my-server.py" \
--frontend http --bind 0.0.0.0:3000 \
--jwt-secret "your-secret-key" \
--jwt-algorithm HS256
# Expose with JWKS (production - asymmetric, OAuth providers)
turbomcp-proxy serve \
--backend stdio --cmd "python my-server.py" \
--frontend http --bind 0.0.0.0:3000 \
--jwt-jwks-uri "https://accounts.google.com/.well-known/jwks.json" \
--jwt-algorithm RS256 \
--jwt-audience "https://api.example.com" \
--jwt-issuer "https://accounts.google.com"
# Generate optimized Rust proxy
turbomcp-proxy generate \
--backend stdio --cmd "python my-server.py" \
--frontend http \
--output ./my-proxy \
--build --release
# Export OpenAPI 3.1 schema
turbomcp-proxy schema openapi \
--backend stdio --cmd "python my-server.py" \
--output api-spec.json
# Export GraphQL schema
turbomcp-proxy schema graphql \
--backend tcp --tcp localhost:5000 \
--output schema.graphql
# Export Protobuf definition
turbomcp-proxy schema protobuf \
--backend unix --unix /tmp/mcp.sock \
--output server.proto
```
---
## Features
### Universal Compatibility
Works with **any MCP implementation**:
- [x] TurboMCP (Rust)
- [x] Python SDK
- [x] TypeScript SDK
- [x] Custom implementations
### Introspection-Based
- **Zero configuration** - discovers capabilities automatically
- Extracts tools, resources, prompts with JSON schemas
- Caches results for fast repeated use
### Multiple Modes
- **Runtime Mode**: Fast prototyping, no compilation needed
- **Codegen Mode**: Production binaries with 0ms overhead
- **Schema Mode**: Export OpenAPI, GraphQL, Protobuf
### Universal Transport Support
- **STDIO ↔ HTTP/SSE** (bidirectional)
- **HTTP ↔ STDIO** (bidirectional)
- **TCP** (high-performance network)
- **Unix Domain Sockets** (IPC, high-security)
- **WebSocket** (browser-friendly, real-time)
- **25+ Transport Combinations** (5 backends × 5 frontends)
### Authentication & Security
- **JWT Authentication** (RFC 7519 validation)
- Symmetric algorithms: HS256, HS384, HS512
- Asymmetric algorithms: RS256, RS384, RS512, ES256, ES384
- JWKS support for OAuth providers (Google, GitHub, Auth0, etc.)
- Automatic key caching with TTL
- Claims validation (exp, nbf, iat, iss, aud)
- Clock skew tolerance (60s default)
- **API Key Authentication** (configurable header)
- **OAuth 2.1 Support** (via turbomcp-auth integration)
- **DPoP Token Binding** (RFC 9449, optional)
- **Command allowlist** (prevents shell injection)
- **SSRF protection** (blocks private IPs, metadata endpoints)
- **Path traversal protection** (canonical path resolution)
- **Auth token security** (automatic secret zeroization)
- **Request limiting** (DoS protection, 10 MB default)
- **Timeout enforcement** (prevents hanging requests)
---
## Use Cases
### 1. Expose STDIO Server Over HTTP (Most Common Use Case)
**Problem:** You have a CLI MCP server, but need HTTP clients to access it
```bash
# Your CLI server
./my-mcp-server
# Expose it over HTTP (development)
turbomcp-proxy serve \
--backend stdio --cmd "./my-mcp-server" \
--frontend http --bind 127.0.0.1:3000
# Expose with JWT authentication (production)
turbomcp-proxy serve \
--backend stdio --cmd "./my-mcp-server" \
--frontend http --bind 0.0.0.0:3000 \
--jwt-secret "your-secret-key"
# Expose with API key authentication (production)
turbomcp-proxy serve \
--backend stdio --cmd "./my-mcp-server" \
--frontend http --bind 0.0.0.0:3000 \
--require-auth \
--api-key-header x-api-key
# Now accessible via HTTP
curl -X POST http://localhost:3000/mcp \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <jwt-token>" \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'
```
### 2. Connect to HTTP Server from STDIO Client
**Problem:** Your tool expects STDIO, but server is HTTP
```bash
# Connect to HTTP server, expose as STDIO
turbomcp-proxy serve \
--backend http --http https://api.example.com/mcp \
--frontend stdio \
| my-cli-tool
# With backend authentication
turbomcp-proxy serve \
--backend http --http https://api.example.com/mcp \
--auth-token "your-secret-token" \
--frontend stdio
```
### 3. Generate REST API from MCP Server
**Problem:** Want REST API with Swagger docs
```bash
# Generate and serve REST API
turbomcp-proxy adapter rest \
--backend stdio --cmd "python my-server.py" \
--bind 0.0.0.0:3000 \
--openapi-ui
# Endpoints automatically created:
# POST /tools/{tool_name} → tools/call
# GET /resources/{uri} → resources/read
# GET /openapi.json → Auto-generated spec
# GET /docs → Swagger UI
```
### 4. Code Generation for Production
**Problem:** Need optimized binary for production deployment
```bash
# Generate standalone Rust project
turbomcp-proxy generate \
--backend stdio --cmd "python my-server.py" \
--frontend http \
--output ./production-proxy \
--build --release
# Deploy optimized binary (0ms overhead)
./production-proxy/target/release/proxy
```
---
## Architecture
```
┌─────────────────────────────────────────────────────────┐
│ Introspection Layer │
│ • McpIntrospector: Discovers server capabilities │
│ • ServerSpec: Complete server description │
│ • Backends: STDIO, HTTP, WebSocket │
└─────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ Generation Layer │
│ • RuntimeProxyBuilder: Dynamic, no codegen │
│ • RustCodeGenerator: Optimized Rust source │
│ • Schema Generators: OpenAPI, GraphQL, Protobuf │
└─────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ Adapter Layer │
│ • Transport Adapters: STDIO ↔ HTTP/SSE ↔ WebSocket │
│ • Protocol Adapters: MCP → REST API / GraphQL │
└─────────────────────────────────────────────────────────┘
```
See **[Design Document](../../PROXY_DESIGN.md)** for complete architecture details.
---
## Installation
**From source:**
```bash
cd crates/turbomcp-proxy
cargo install --path .
```
**From crates.io:** _(coming soon)_
```bash
cargo install turbomcp-proxy
```
---
## Documentation
- **[Design Document](../../PROXY_DESIGN.md)** - Complete technical design
- **[Progress Tracker](../../PROXY_PROGRESS.md)** - Implementation progress
- **[Security Review](./SECURITY_REVIEW.md)** - World-class security assessment
- **[Examples](./examples/)** - Usage examples
- **[API Docs](https://docs.rs/turbomcp-proxy)** - Rust API documentation
- **[Test Suite](./tests/)** - Comprehensive integration tests (40+ cases)
---
## CLI Reference
### Commands
```
turbomcp-proxy <COMMAND> [OPTIONS]
Commands:
inspect Discover MCP server capabilities
serve Run runtime proxy (no codegen)
generate Generate optimized proxy source code
schema Export schemas (OpenAPI, GraphQL, Protobuf)
adapter Run protocol adapter (MCP → REST/GraphQL)
help Print help
```
### `inspect` - Discover Capabilities
```bash
turbomcp-proxy inspect [OPTIONS]
Backend Options:
--backend <TYPE> Backend type (stdio, http, tcp, unix, websocket)
--cmd <CMD> Command to run (for stdio backend)
--http <URL> HTTP/SSE server URL
--tcp <ADDR> TCP endpoint (host:port)
--unix <PATH> Unix socket path
--websocket <URL> WebSocket server URL
Output Options:
--output <FILE> Save to file
--format <FORMAT> Output format (human, json, yaml)
Examples:
turbomcp-proxy inspect --backend stdio --cmd "python server.py"
turbomcp-proxy inspect --backend http --http https://api.example.com/mcp
turbomcp-proxy inspect --backend tcp --tcp localhost:5000 --format json
turbomcp-proxy inspect --backend unix --unix /tmp/mcp.sock --output capabilities.json
Note: Inspect currently supports stdio backend. TCP, Unix, HTTP, and WebSocket backends are supported in the backend connector but not yet in the inspect introspection layer.
```
### `serve` - Runtime Proxy
```bash
turbomcp-proxy serve [OPTIONS]
Backend Options:
--backend <TYPE> Backend type (stdio, http, tcp, unix, websocket)
--cmd <CMD> Command to run (for stdio backend)
--server <URL> Server URL (for http/websocket backend)
--tcp <HOST:PORT> TCP endpoint (for tcp backend)
--unix <PATH> Unix socket path (for unix backend)
--auth-token <TOK> Authentication token for HTTP backend
Frontend Options:
--frontend <TYPE> Frontend type (stdio, http, tcp, unix, websocket)
--bind <ADDR> Bind address (for http/tcp/websocket frontend)
--endpoint <PATH> HTTP endpoint path (default: /mcp)
Authentication Options (Frontend HTTP Server):
--jwt-secret <SECRET> JWT secret for token validation
--api-key-header <HEADER> API key header name (default: x-api-key)
--require-auth Require authentication for all requests
Environment Variables:
TURBOMCP_JWT_SECRET JWT secret (alternative to --jwt-secret)
Examples:
# STDIO → HTTP (development, localhost only)
turbomcp-proxy serve \
--backend stdio --cmd "python server.py" \
--frontend http --bind 127.0.0.1:3000
# STDIO → HTTP with JWT authentication (production)
turbomcp-proxy serve \
--backend stdio --cmd "python server.py" \
--frontend http --bind 0.0.0.0:3000 \
--jwt-secret "your-secret-key"
# STDIO → HTTP with API key authentication (production)
turbomcp-proxy serve \
--backend stdio --cmd "python server.py" \
--frontend http --bind 0.0.0.0:3000 \
--require-auth
# HTTP → STDIO with backend authentication
turbomcp-proxy serve \
--backend http --server https://api.example.com/mcp \
--auth-token "backend-token" \
--frontend stdio
# TCP → HTTP (high-performance network)
turbomcp-proxy serve \
--backend tcp --tcp localhost:5000 \
--frontend http --bind 0.0.0.0:3000
# Unix socket → HTTP (IPC security)
turbomcp-proxy serve \
--backend unix --unix /tmp/mcp.sock \
--frontend http --bind 0.0.0.0:3000
```
### `generate` - Code Generation
```bash
turbomcp-proxy generate [OPTIONS]
Options:
--backend <TYPE> Backend type
--cmd <CMD> Command to run (for stdio)
--server <URL> Server URL (for http/websocket)
--frontend <TYPE> Frontend type
--output <DIR> Output directory
--build Build after generation
--release Build in release mode
--run Run after building
Examples:
# Generate and build
turbomcp-proxy generate \
--backend stdio --cmd "python server.py" \
--frontend http \
--output ./my-proxy \
--build --release
```
### `schema` - Schema Export
Export MCP server capabilities as standard schema formats.
```bash
turbomcp-proxy schema <FORMAT> [OPTIONS]
Formats:
openapi OpenAPI 3.1 specification (REST API schema)
graphql GraphQL Schema Definition Language
protobuf Protocol Buffers 3 definition
Backend Options:
--backend <TYPE> Backend type (stdio, http, tcp, unix, websocket)
--cmd <CMD> Command to run (for stdio backend)
--http <URL> HTTP/SSE server URL
--tcp <ADDR> TCP endpoint (host:port)
--unix <PATH> Unix socket path
Output Options:
--output <FILE> Output file (default: stdout)
--with-examples Include example requests/responses (OpenAPI only)
Examples:
# Export OpenAPI from STDIO server
turbomcp-proxy schema openapi \
--backend stdio --cmd "python server.py" \
--output api-spec.json
# Export GraphQL from TCP server
turbomcp-proxy schema graphql \
--backend tcp --tcp localhost:5000 \
--output schema.graphql
# Export Protobuf from Unix socket
turbomcp-proxy schema protobuf \
--backend unix --unix /tmp/mcp.sock \
--output server.proto
# Export to stdout
turbomcp-proxy schema openapi \
--backend stdio --cmd "npx @mcp/server-fs /tmp"
```
### `adapter` - Protocol Adapters (Phase 6 - Scaffolded)
Expose MCP servers through standard web protocols. Adapter framework is ready for full implementation.
```bash
turbomcp-proxy adapter <PROTOCOL> [OPTIONS]
Protocols:
rest REST API with OpenAPI documentation
graphql GraphQL API with schema explorer
Backend Options:
--backend <TYPE> Backend type (stdio, http, tcp, unix, websocket)
--cmd <CMD> Command to run (for stdio backend)
--http <URL> HTTP/SSE server URL
--tcp <ADDR> TCP endpoint (host:port)
--unix <PATH> Unix socket path
Server Options:
--bind <ADDR> Bind address (default: 127.0.0.1:3001)
REST-Specific:
--openapi-ui Serve Swagger UI at /docs (future)
GraphQL-Specific:
--playground Serve GraphQL Playground at /playground (future)
Examples:
# REST API (framework ready)
turbomcp-proxy adapter rest \
--backend stdio --cmd "python server.py" \
--bind 127.0.0.1:3000
# GraphQL API (framework ready)
turbomcp-proxy adapter graphql \
--backend tcp --tcp localhost:5000 \
--bind 127.0.0.1:4000
Status: Command structure complete. Full implementation of REST and GraphQL adapters coming in next release.
```
---
## Development Status
**Current Version:** 2.2.0
**MVP Status:** Complete - Production Ready (Phases 1-4)
**Latest Release:** 2.2.0 - Security Hardening & HTTP Header Propagation
See **[Progress Tracker](../../PROXY_PROGRESS.md)** for detailed progress.
### Version 2.2.0 - Security Hardening & HTTP Header Propagation
**Transport Coverage:**
- [x] **STDIO** (subprocess, CLI tools)
- [x] **HTTP/SSE** (web services, APIs)
- [x] **TCP** (high-performance network)
- [x] **Unix Domain Sockets** (IPC, same-host)
- [x] **WebSocket** (real-time, browser-friendly)
- [x] **25 Transport Combinations** (5 backends × 5 frontends)
**Authentication & Security:**
- [x] **JWT Authentication** (RFC 7519, HS256 validation)
- [x] **API Key Authentication** (configurable header)
- [x] **Environment Variable Support** (TURBOMCP_JWT_SECRET)
- [x] **Security Warnings** (alerts when binding publicly without auth)
- [x] **Command Allowlist** (prevents shell injection)
- [x] **SSRF Protection** (blocks private IPs, metadata endpoints)
- [x] **Path Traversal Protection** (canonical path resolution)
- [x] **Auth Token Security** (automatic secret zeroization)
**Quality Assurance:**
- [x] **40+ Comprehensive Tests** (transport combinations, security validations)
- [x] **World-Class Security Review** (SECURITY_REVIEW.md)
- [x] **Zero TODO Markers** (production-ready)
- [x] **100% Safe Rust** (no unsafe code)
**Core Components:**
- [x] **BackendConnector**: Supports 5 transport types with type-erased enum dispatch
- [x] **ProxyService**: McpService trait implementation for Axum integration
- [x] **IdTranslator**: Bidirectional message ID mapping for session correlation
- [x] **Introspection**: Complete server capability discovery (tools, resources, prompts)
- [x] **RuntimeProxyBuilder**: Security-first builder with comprehensive validation
- [x] **Authentication**: JWT and API key support via turbomcp-transport integration
### Roadmap
- [x] **Phase 0:** Design & Planning (Complete)
- [x] **Phase 1:** Introspection Engine (Complete - October 2025)
- [x] **Phase 2:** Runtime Proxy - STDIO → HTTP (Complete - October 2025)
- [x] **Phase 3:** Runtime Proxy - HTTP → STDIO (Complete - October 2025)
- [x] **Phase 4:** Code Generation (Complete - October 2025)
- 777 lines of production templates
- 51/51 tests passing
- Zero TODO markers
- Type-safe Rust generation from JSON Schema
- Dual frontend support (HTTP + STDIO)
- [x] **Phase 4.5:** Authentication Integration (Complete - October 2025)
- JWT authentication (RFC 7519)
- API key authentication
- Environment variable support
- Security warnings for public bindings
- [x] **Phase 5:** Schema Export (Complete - November 2025)
- OpenAPI 3.1 schema generation
- GraphQL schema definition generation
- Protobuf 3 schema generation
- File output support
- [x] **Phase 5.5:** Transport & Backend Extension (Complete - November 2025)
- TCP backend support
- Unix domain socket backend support
- CLI argument validation and parsing
- Full transport integration
- [x] **Phase 6:** Protocol Adapters (Scaffolding - November 2025)
- REST API adapter framework
- GraphQL adapter framework
- Ready for full implementation
- [ ] **Phase 7:** Production Features (Planning)
**MVP Target:** Phases 1-3 (Complete - October 2025)
**Code Generation:** Phase 4 (Complete - October 2025)
**Authentication:** Phase 4.5 (Complete - October 2025)
**Schema Export & Transports:** Phase 5-5.5 (Complete - November 2025)
**Full Release:** 6/7 phases complete - 86%
---
## Contributing
We welcome contributions! Please see:
- **[CONTRIBUTING.md](./CONTRIBUTING.md)** - Contribution guidelines (coming soon)
- **[Design Document](../../PROXY_DESIGN.md)** - Technical architecture
- **[Progress Tracker](../../PROXY_PROGRESS.md)** - Current status
---
## License
Licensed under either of:
- Apache License, Version 2.0 ([LICENSE-APACHE](../../LICENSE-APACHE))
- MIT license ([LICENSE-MIT](../../LICENSE-MIT))
at your option.
---
## Why turbomcp-proxy?
### Problem
MCP servers are often CLI tools (STDIO), but clients need network access (HTTP). Manually bridging this gap requires:
- Writing transport code
- Handling sessions
- Mapping message IDs
- Writing schemas/docs
### Solution
**turbomcp-proxy** does this automatically via introspection:
1. **Connect** to any MCP server
2. **Discover** capabilities via protocol
3. **Generate** adapters dynamically or statically
4. **Expose** over any transport/protocol
**Result:** Zero-configuration, universal MCP adapter that works with any implementation.
---
**Built by the TurboMCP team**