Point torii-mcp at an OpenAPI/Swagger spec and every operation becomes a callable MCP tool. The proxy is its own OAuth 2.1 server and brokers each backend's login, so any MCP client connects transparently — and the upstream credential never leaks to the client.
backends:
- name: petstore
spec_url: https://api.example.com/openapi.json
auth: {type: oauth2, ...}→ tools live at /mcp/petstore, gated by OAuth.
Anywhere you want an AI assistant to call your existing APIs — safely, as the signed-in user.
Give an assistant your internal REST API as tools, with each user acting under their own upstream credential.
Already have an OpenAPI spec? Point torii-mcp at it — no per-operation glue code.
A login-broker page fronts any custom username/password endpoint and hands MCP clients a standard OAuth flow.
Brokers the backend's own IdP (authorization code + PKCE) and refreshes the upstream token silently.
Each backend is its own MCP endpoint and OAuth resource — add as many as you like in one config file.
Self-hosted, with per-user upstream credentials sealed at rest and never forwarded from the MCP client.
torii-mcp is the gateway between an MCP client and your REST API: it authenticates the client with OAuth, brokers the backend's own login, and proxies each tool call upstream as that user.
Connects to /mcp/<backend> and signs in with standard OAuth 2.1.
Issues MCP tokens, brokers the backend login, seals the per-user credential, and maps OpenAPI operations to tools.
Receives the real request with the user's brokered bearer or cookie.
Add a backend to mcp-proxy.yaml with its OpenAPI spec_url and an auth strategy. The proxy compiles every operation into a tool at boot.
The MCP client discovers the OAuth server, registers via PKCE, and runs the flow. The proxy brokers the backend's login and seals a per-user upstream credential.
Each tool call is proxied upstream with the user's credential. For OAuth2 backends the upstream token refreshes silently, so long sessions just keep working.
Secure by design. The MCP client's token is validated but never sent upstream (no confused deputy). Upstream credentials are sealed with AES-256-GCM; MCP tokens are stored only as hashes.
No third party in the path of your traffic or your credentials.
Swagger 2.0 and OpenAPI 3.0/3.1 operations become MCP tools with generated input schemas.
Dynamic client registration, PKCE, authorization-code + refresh-token grants, RFC 8414/9728 metadata.
login-broker for custom username/password endpoints, or standard OAuth2 with silent upstream refresh.
Each user acts under their own brokered credential — not a shared service account.
The MCP client token is never forwarded upstream; the upstream credential is a separate sealed secret.
Backends live in one YAML file with ${VAR} secrets. No runtime API to attack.
One static binary or a distroless image, an embedded database, no external services.
Installs as a locked-down systemd unit running as an unprivileged user; secrets sealed at rest.
Install the proxy, declare a backend, and point your MCP client at it. The full guide lives in the docs.
# on your host
sudo okpkg install torii-mcp