Add jurisdiction support to MCP agent and handlers (#607)

* Add jurisdiction support to MCP agent and handlers

Introduces a `jurisdiction` option to MCP agent server and streaming/SSE handlers, allowing Durable Object instances to be created in specific geographic regions for compliance (e.g., GDPR). Documentation updated to explain usage and available jurisdictions.

* Add jurisdiction tests for McpAgent

Introduces tests to verify the jurisdiction option in McpAgent.serve(), ensuring the parameter is correctly passed to Durable Object creation. Adds TestMcpJurisdiction agent and updates wrangler config to register the new Durable Object for testing.

* Create pretty-swans-smash.md

* fix types

* removed some warnings

Author: threepointone

.changeset/pretty-swans-smash.md

@@ -0,0 +1,7 @@
+---
+"agents": patch
+---
+
+Add jurisdiction support to MCP agent and handlers
+
+Introduces a `jurisdiction` option to MCP agent server and streaming/SSE handlers, allowing Durable Object instances to be created in specific geographic regions for compliance (e.g., GDPR). Documentation updated to explain usage and available jurisdictions.

docs/mcp-servers.md

@@ -269,6 +269,49 @@ The auth flow prompts us for the password.
 ![model calls all 3 tools after authorization](https://github.com/user-attachments/assets/07e22fef-93de-47c2-af7e-9c361e460186)
 Once we've authenticated ourselves we can use all the tools!
 
+## Data Jurisdiction for Compliance
+
+`McpAgent` supports specifying a data jurisdiction for your MCP server, which is particularly useful for satisfying GDPR and other data residency regulations. By setting the `jurisdiction` option, you can ensure that your Durable Object instances (and their data) are created in a specific geographic region.
+
+### Using the EU Jurisdiction for GDPR
+
+To comply with GDPR requirements, you can specify the `"eu"` jurisdiction to ensure that all data processed by your MCP server remains within the European Union:
+
+```typescript
+export default TinyMcp.serve("/", {
+  jurisdiction: "eu"
+});
+```
+
+Or with the OAuth-protected example:
+
+```typescript
+export default new OAuthProvider({
+  authorizeEndpoint: "/authorize",
+  tokenEndpoint: "/token",
+  clientRegistrationEndpoint: "/register",
+  apiHandlers: {
+    "/mcp": StorageMcp.serve("/mcp", { jurisdiction: "eu" })
+  },
+  defaultHandler
+});
+```
+
+When you specify `jurisdiction: "eu"`, Cloudflare will create the Durable Object instances in EU data centers, ensuring that:
+
+- All MCP session data stays within the EU
+- User data processed by your tools remains in the EU
+- State stored in the Durable Object's storage API stays in the EU
+
+This helps you comply with GDPR's data localization requirements without any additional configuration.
+
+### Available Jurisdictions
+
+The `jurisdiction` option accepts any value supported by [Cloudflare's Durable Objects jurisdiction API](https://developers.cloudflare.com/durable-objects/reference/data-location/), including:
+
+- `"eu"` - European Union
+- `"fedramp"` - FedRAMP compliant locations
+
 ### Read more
 
 To find out how to use your favorite providers for your authorization flow and more complex examples, have a look at the demos [here](https://github.com/cloudflare/ai/tree/main/demos).

packages/agents/src/mcp/index.ts

@@ -358,7 +358,8 @@ export abstract class McpAgent<
     {
       binding = "MCP_OBJECT",
       corsOptions,
-      transport = "streamable-http"
+      transport = "streamable-http",
+      jurisdiction
     }: ServeOptions = {}
   ) {
     return {
@@ -399,17 +400,16 @@ export abstract class McpAgent<
             const handleStreamableHttp = createStreamingHttpHandler(
               path,
               namespace,
-              corsOptions
+              { corsOptions, jurisdiction }
             );
             return handleStreamableHttp(request, ctx);
           }
           case "sse": {
             // Legacy SSE transport handling
-            const handleLegacySse = createLegacySseHandler(
-              path,
-              namespace,
-              corsOptions
-            );
+            const handleLegacySse = createLegacySseHandler(path, namespace, {
+              corsOptions,
+              jurisdiction
+            });
             return handleLegacySse(request, ctx);
           }
           default:

packages/agents/src/mcp/types.ts

@@ -16,4 +16,5 @@ export interface ServeOptions {
   binding?: string;
   corsOptions?: CORSOptions;
   transport?: BaseTransportType;
+  jurisdiction?: DurableObjectJurisdiction;
 }

packages/agents/src/mcp/utils.ts

@@ -30,7 +30,10 @@ const MAXIMUM_MESSAGE_SIZE_BYTES = 4 * 1024 * 1024; // 4MB
 export const createStreamingHttpHandler = (
   basePath: string,
   namespace: DurableObjectNamespace<McpAgent>,
-  corsOptions?: CORSOptions
+  options: {
+    corsOptions?: CORSOptions;
+    jurisdiction?: DurableObjectJurisdiction;
+  } = {}
 ) => {
   let pathname = basePath;
   if (basePath === "/") pathname = "/*";
@@ -191,7 +194,10 @@ export const createStreamingHttpHandler = (
         const agent = await getAgentByName(
           namespace,
           `streamable-http:${sessionId}`,
-          { props: ctx.props as Record<string, unknown> | undefined }
+          {
+            props: ctx.props as Record<string, unknown> | undefined,
+            jurisdiction: options.jurisdiction
+          }
         );
         const isInitialized = await agent.getInitializeRequest();
 
@@ -314,7 +320,7 @@ export const createStreamingHttpHandler = (
           ws.close();
 
           return new Response(null, {
-            headers: corsHeaders(request, corsOptions),
+            headers: corsHeaders(request, options.corsOptions),
             status: 202
           });
         }
@@ -327,7 +333,7 @@ export const createStreamingHttpHandler = (
             Connection: "keep-alive",
             "Content-Type": "text/event-stream",
             "mcp-session-id": sessionId,
-            ...corsHeaders(request, corsOptions)
+            ...corsHeaders(request, options.corsOptions)
           },
           status: 200
         });
@@ -370,7 +376,10 @@ export const createStreamingHttpHandler = (
         const agent = await getAgentByName(
           namespace,
           `streamable-http:${sessionId}`,
-          { props: ctx.props as Record<string, unknown> | undefined }
+          {
+            props: ctx.props as Record<string, unknown> | undefined,
+            jurisdiction: options.jurisdiction
+          }
         );
         const isInitialized = await agent.getInitializeRequest();
         if (!isInitialized) {
@@ -444,7 +453,7 @@ export const createStreamingHttpHandler = (
             Connection: "keep-alive",
             "Content-Type": "text/event-stream",
             "mcp-session-id": sessionId,
-            ...corsHeaders(request, corsOptions)
+            ...corsHeaders(request, options.corsOptions)
           },
           status: 200
         });
@@ -460,12 +469,13 @@ export const createStreamingHttpHandler = (
               },
               id: null
             }),
-            { status: 400, headers: corsHeaders(request, corsOptions) }
+            { status: 400, headers: corsHeaders(request, options.corsOptions) }
           );
         }
         const agent = await getAgentByName(
           namespace,
-          `streamable-http:${sessionId}`
+          `streamable-http:${sessionId}`,
+          { jurisdiction: options.jurisdiction }
         );
         const isInitialized = await agent.getInitializeRequest();
         if (!isInitialized) {
@@ -475,7 +485,7 @@ export const createStreamingHttpHandler = (
               error: { code: -32001, message: "Session not found" },
               id: null
             }),
-            { status: 404, headers: corsHeaders(request, corsOptions) }
+            { status: 404, headers: corsHeaders(request, options.corsOptions) }
           );
         }
         // .destroy() passes an uncatchable Error, so we make sure we first return
@@ -487,7 +497,7 @@ export const createStreamingHttpHandler = (
         );
         return new Response(null, {
           status: 204,
-          headers: corsHeaders(request, corsOptions)
+          headers: corsHeaders(request, options.corsOptions)
         });
       }
     }
@@ -508,7 +518,10 @@ export const createStreamingHttpHandler = (
 export const createLegacySseHandler = (
   basePath: string,
   namespace: DurableObjectNamespace<McpAgent>,
-  corsOptions?: CORSOptions
+  options: {
+    corsOptions?: CORSOptions;
+    jurisdiction?: DurableObjectJurisdiction;
+  } = {}
 ) => {
   let pathname = basePath;
   if (basePath === "/") pathname = "/*";
@@ -540,7 +553,8 @@ export const createLegacySseHandler = (
 
       // Get the Durable Object
       const agent = await getAgentByName(namespace, `sse:${sessionId}`, {
-        props: ctx.props as Record<string, unknown> | undefined
+        props: ctx.props as Record<string, unknown> | undefined,
+        jurisdiction: options.jurisdiction
       });
 
       // Connect to the Durable Object via WebSocket
@@ -626,7 +640,7 @@ export const createLegacySseHandler = (
           "Cache-Control": "no-cache",
           Connection: "keep-alive",
           "Content-Type": "text/event-stream",
-          ...corsHeaders(request, corsOptions)
+          ...corsHeaders(request, options.corsOptions)
         }
       });
     }
@@ -663,7 +677,8 @@ export const createLegacySseHandler = (
 
       // Get the Durable Object
       const agent = await getAgentByName(namespace, `sse:${sessionId}`, {
-        props: ctx.props as Record<string, unknown> | undefined
+        props: ctx.props as Record<string, unknown> | undefined,
+        jurisdiction: options.jurisdiction
       });
 
       const messageBody = await request.json();
@@ -675,7 +690,7 @@ export const createLegacySseHandler = (
             "Cache-Control": "no-cache",
             Connection: "keep-alive",
             "Content-Type": "text/event-stream",
-            ...corsHeaders(request, corsOptions)
+            ...corsHeaders(request, options.corsOptions)
           },
           status: 400
         });
@@ -686,7 +701,7 @@ export const createLegacySseHandler = (
           "Cache-Control": "no-cache",
           Connection: "keep-alive",
           "Content-Type": "text/event-stream",
-          ...corsHeaders(request, corsOptions)
+          ...corsHeaders(request, options.corsOptions)
         },
         status: 202
       });

packages/agents/src/tests/mcp/handler.test.ts

@@ -2,19 +2,19 @@ import { createExecutionContext, env } from "cloudflare:test";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import type { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
 import { describe, expect, it } from "vitest";
-import { experimental_createMcpHandler } from "../../mcp/handler";
+import { createMcpHandler } from "../../mcp/handler";
 import { z } from "zod";
 
 declare module "cloudflare:test" {
   interface ProvidedEnv {}
 }
 
 /**
- * Tests for experimental_createMcpHandler
+ * Tests for createMcpHandler
  * The handler primarily passes options to WorkerTransport and handles routing
  * Detailed CORS and protocol version behavior is tested in worker-transport.test.ts
  */
-describe("experimental_createMcpHandler", () => {
+describe("createMcpHandler", () => {
   const createTestServer = () => {
     const server = new McpServer(
       { name: "test-server", version: "1.0.0" },
@@ -36,7 +36,7 @@ describe("experimental_createMcpHandler", () => {
   describe("Route matching", () => {
     it("should only handle requests matching the configured route", async () => {
       const server = createTestServer();
-      const handler = experimental_createMcpHandler(server, {
+      const handler = createMcpHandler(server, {
         route: "/custom-mcp"
       });
 
@@ -59,7 +59,7 @@ describe("experimental_createMcpHandler", () => {
 
     it("should use default route /mcp when not specified", async () => {
       const server = createTestServer();
-      const handler = experimental_createMcpHandler(server);
+      const handler = createMcpHandler(server);
 
       const ctx = createExecutionContext();
       const request = new Request("http://example.com/mcp", {
@@ -75,7 +75,7 @@ describe("experimental_createMcpHandler", () => {
   describe("Options passing - verification via behavior", () => {
     it("should apply custom CORS options", async () => {
       const server = createTestServer();
-      const handler = experimental_createMcpHandler(server, {
+      const handler = createMcpHandler(server, {
         route: "/mcp",
         corsOptions: {
           origin: "https://example.com",
@@ -103,7 +103,7 @@ describe("experimental_createMcpHandler", () => {
   describe("Integration - Basic functionality", () => {
     it("should handle initialization request end-to-end", async () => {
       const server = createTestServer();
-      const handler = experimental_createMcpHandler(server, {
+      const handler = createMcpHandler(server, {
         route: "/mcp"
       });