Feature/docker api key login (#68)

* add host as cli var

* add API key for docker containers

* fix docker container start

* release: bump version to 0.3.3 (patch release)

* remove smithery badge

Author: Rodriguespn

Dockerfile

@@ -12,4 +12,4 @@ RUN uv sync --locked --no-cache
 # Expose the port the MCP server runs on
 EXPOSE 8000
 
-CMD ["uv", "run", "src/main.py", "start", "--transport", "stdio"]
+CMD ["uv", "run", "src/main.py", "start", "--transport", "stdio", "--host", "0.0.0.0"]

README.md

@@ -1,6 +1,6 @@
 # SingleStore MCP Server
 
-[![MIT Licence](https://img.shields.io/badge/License-MIT-yellow.svg)](https://github.com/singlestore-labs/mcp-server-singlestore/blob/main/LICENSE) [![PyPI](https://img.shields.io/pypi/v/singlestore-mcp-server)](https://pypi.org/project/singlestore-mcp-server/) [![Downloads](https://static.pepy.tech/badge/singlestore-mcp-server)](https://pepy.tech/project/singlestore-mcp-server) [![Smithery](https://smithery.ai/badge/@singlestore-labs/mcp-server-singlestore)](https://smithery.ai/server/@singlestore-labs/mcp-server-singlestore)
+[![MIT Licence](https://img.shields.io/badge/License-MIT-yellow.svg)](https://github.com/singlestore-labs/mcp-server-singlestore/blob/main/LICENSE) [![PyPI](https://img.shields.io/pypi/v/singlestore-mcp-server)](https://pypi.org/project/singlestore-mcp-server/) [![Downloads](https://static.pepy.tech/badge/singlestore-mcp-server)](https://pepy.tech/project/singlestore-mcp-server)
 
 [Model Context Protocol]((https://modelcontextprotocol.io/introduction)) (MCP) is a standardized protocol designed to manage context between large language models (LLMs) and external systems. This repository provides an installer and an MCP Server for Singlestore, enabling seamless integration.
 
@@ -231,6 +231,10 @@ To run the Docker container, use the following command:
 ```bash
 docker run -d \
   -p 8000:8000 \
+  -e MCP_API_KEY="your_api_key_here" \
+  -it \
   --name mcp-server \
   mcp-server-singlestore
 ```
+
+Note: An API key is needed when using Docker because the OAuth flow isn't supported locally for servers running in a Docker container. We're working with the Docker team to enable OAuth for local servers in the future. For better security, we recommend using Docker Desktop to configure the S2 MCP server—see [this blog post](https://www.docker.com/blog/docker-mcp-catalog-secure-way-to-discover-and-run-mcp-servers/) for details on Docker's new MCP Catalog.

pyproject.toml

@@ -5,7 +5,7 @@ description = "SingleStore MCP server"
 readme = "README.md"
 requires-python = ">=3.10"
 dependencies = [
- "mcp[cli]>=1.9.4",
+ "mcp>=1.10.1",
  "nbformat>=5.10.4",
  "pydantic-settings>=2.9.1",
  "segment-analytics-python>=2.3.4",

src/api/common.py

@@ -5,6 +5,7 @@
 from starlette.exceptions import HTTPException
 
 from src.api.types import MCPConcept, AVAILABLE_FLAGS
+import src.config.config as config
 from src.config.config import get_session_request, get_settings
 from src.logger import get_logger
 
@@ -208,7 +209,12 @@ def build_request_endpoint(endpoint: str, params: dict = None):
         if params is None:
             params = {}
 
-        params["organizationID"] = get_org_id()
+        # Get organization ID (might be None for API key auth)
+        org_id = get_org_id()
+
+        # Only add organizationID if it's not None (not using API key)
+        if org_id is not None:
+            params["organizationID"] = org_id
 
         if params and type == "GET":  # Only add query params for GET requests
             url += "?"
@@ -331,15 +337,23 @@ def __get_user_id() -> str:
     raise ValueError("Could not retrieve user ID from the API")
 
 
-def get_org_id() -> str:
+def get_org_id() -> str | None:
     """
     Get the organization ID from the management API.
 
+    For API key authentication, organization ID is not required.
+    For JWT token authentication, organization ID is required.
+
     Returns:
-        str: The organization ID
+        str or None: The organization ID, or None if using API key authentication
     """
     settings = get_settings()
 
+    # If using API key authentication, no org_id is needed
+    if not settings.is_remote and settings.api_key:
+        logger.debug("Using API key authentication, no organization ID needed")
+        return None
+
     org_id = settings.org_id
 
     if not org_id:
@@ -370,10 +384,15 @@ def get_access_token() -> str:
             f"Remote access token retrieved (length: {len(access_token) if access_token else 0})"
         )
     else:
-        access_token = settings.jwt_token
-        logger.debug(
-            f"Local JWT token retrieved (length: {len(access_token) if access_token else 0})"
-        )
+        # Check for API key first, then fall back to JWT token
+        if isinstance(settings, config.LocalSettings) and settings.api_key:
+            access_token = settings.api_key
+            logger.debug("Using API key for authentication")
+        else:
+            access_token = settings.jwt_token
+            logger.debug(
+                f"Local JWT token retrieved (length: {len(access_token) if access_token else 0})"
+            )
 
     if not access_token:
         logger.warning("No access token available!")

src/api/tools/registery.py

@@ -38,12 +38,29 @@ def register_tools(mcp: FastMCP, **filter_flags) -> None:
         # Register only public tools explicitly
         register_tools(mcp, private=False, deprecated=False)
     """
+    # Import here to avoid circular imports
+    from src.config.config import get_settings, LocalSettings
+
     # Default: only register public tools (non-private, non-deprecated)
     if not filter_flags:
         filter_flags = {"internal": False, "deprecated": False}
 
     filtered_tools: List[Tool] = filter_tools(**filter_flags)
 
+    # Check if we're using API key authentication in local mode
+    settings = get_settings()
+    using_api_key = (
+        not settings.is_remote
+        and isinstance(settings, LocalSettings)
+        and settings.api_key
+    )
+
+    # List of tools to exclude when using API key authentication
+    api_key_excluded_tools = ["get_organizations", "set_organization"]
+
     for tool in filtered_tools:
         func = tool.func
+        # Skip organization-related tools when using API key authentication
+        if using_api_key and func.__name__ in api_key_excluded_tools:
+            continue
         mcp.tool(name=func.__name__, description=func.__doc__)(func)

src/commands/start.py

@@ -1,3 +1,4 @@
+import os
 from mcp.server.fastmcp import FastMCP
 from mcp.server.auth.settings import AuthSettings, ClientRegistrationOptions
 
@@ -12,17 +13,27 @@
 logger = get_logger()
 
 
-def start_command(transport):
-    # Always use browser authentication for stdio mode
+def start_command(transport: str, host: str):
+    api_key = os.environ.get("MCP_API_KEY")
+
     if transport == config.Transport.STDIO:
-        oauth_token = get_authentication_token()
-        if not oauth_token:
-            logger.error("Authentication failed. Please try again")
-            return
-        logger.info("Authentication successful")
-
-        # Create settings with OAuth token as JWT token
-        settings = config.init_settings(transport=transport, jwt_token=oauth_token)
+        if api_key:
+            # Silent API key authentication for Docker containers
+            logger.debug("Using API key authentication")
+            settings = config.init_settings(transport=transport, host=host)
+            # API key will be automatically loaded from env vars via Pydantic
+        else:
+            # Use browser authentication for stdio mode
+            oauth_token = get_authentication_token()
+            if not oauth_token:
+                logger.error("Authentication failed. Please try again")
+                return
+            logger.info("Authentication successful")
+
+            # Create settings with OAuth token as JWT token
+            settings = config.init_settings(
+                transport=transport, jwt_token=oauth_token, host=host
+            )
     else:
         raise NotImplementedError("Only stdio transport is currently supported.")
         # settings = config.init_settings(transport=transport, jwt_token=None)

src/config/config.py

@@ -31,11 +31,12 @@ class Settings(ABC, BaseSettings):
 class LocalSettings(Settings):
     jwt_token: str | None = None
     org_id: str | None = None
+    api_key: str | None = None
     transport: Transport = Transport.STDIO
     is_remote: bool = False
 
-    # Remove environment variable configuration to force browser auth
-    # model_config = SettingsConfigDict(env_prefix="MCP_", env_file=".env.local")
+    # Environment variable configuration for Docker use cases
+    model_config = SettingsConfigDict(env_prefix="MCP_")
 
     def set_jwt_token(self, token: str) -> None:
         """Set JWT token for authentication (obtained via browser OAuth)"""
@@ -51,7 +52,6 @@ def validate_org_id_uuid(cls, v):
 
 
 class RemoteSettings(Settings):
-    host: str
     org_id: str
     is_remote: bool = True
     issuer_url: str
@@ -124,15 +124,15 @@ def get_user_id() -> str | None:
 
 
 def init_settings(
-    transport: Transport, jwt_token: str | None = None
+    transport: Transport, jwt_token: str | None = None, host: str | None = None
 ) -> RemoteSettings | LocalSettings:
     match transport:
         case Transport.HTTP:
             settings = RemoteSettings(transport=Transport.HTTP)
         case Transport.SSE:
             settings = RemoteSettings(transport=Transport.SSE)
         case Transport.STDIO:
-            settings = LocalSettings(jwt_token=jwt_token)
+            settings = LocalSettings(jwt_token=jwt_token, host=host)
         case _:
             raise ValueError(f"Unsupported transport mode: {transport}")
 

src/main.py

@@ -27,16 +27,19 @@ def cli():
     default=DEFAULT_TRANSPORT,
     help="Only stdio transport is currently supported for local development. ",
 )
-def start(transport: str):
+@click.option(
+    "--host",
+    type=str,
+    default="localhost",
+    help="Host to bind the MCP server to (default: localhost)",
+)
+def start(transport: str, host: str):
     """
     Start the MCP server with the specified transport.
 
     The server will automatically handle authentication via browser OAuth.
     """
-
-    # transport is already a string, no need to convert
-    logger.info(f"Starting MCP server with transport={transport}")
-    start_command(transport)
+    start_command(transport, host)
 
 
 @cli.command()

src/version.py

@@ -1 +1 @@
-__version__ = "0.3.2"
+__version__ = "0.3.3"