MCP Transports and Authentication
Configure MCP server connectivity: stdio for local processes and streamable HTTP for remote services. Set up OAuth 2.1 with PKCE and dynamic registration, API key authentication, bearer tokens, and environment variable credentials.
An MCP server's transport defines how the client connects to it, and the authentication configuration defines how the client proves its identity. NeoArc supports documenting both transport types defined in the MCP specification - stdio and streamable HTTP - along with a flexible authentication model that covers OAuth 2.1, API keys, bearer tokens, and environment variable credentials.
Transport Types
MCP defines two transport mechanisms. Most servers support at least one; some support both for different deployment scenarios.
stdio Transport
The stdio transport launches the MCP server as a child process. The client sends JSON-RPC messages to the process's stdin and reads responses from stdout.
| Field | Required | Purpose | Example |
|---|---|---|---|
| command | Yes | The executable to run | npx, node, python |
| args | No | Command-line arguments | ["-y", "@example/mcp-server"] |
| env | No | Environment variables to set before launch | API_KEY=${API_KEY} |
| cwd | No | Working directory for the process | /opt/mcp-servers/ecommerce |
| platformNotes | No | Platform-specific instructions or limitations | Requires Node.js 20+ |
{
"type": "stdio",
"command": "npx",
"args": ["-y", "@example/ecommerce-mcp-server"],
"env": {
"ECOMMERCE_API_KEY": "${ECOMMERCE_API_KEY}",
"ECOMMERCE_API_URL": "https://api.example.com/v2"
},
"platformNotes": "Requires Node.js 20+ and npm 10+"
}Streamable HTTP Transport
The streamable HTTP transport connects to a remote server over HTTPS. It supports two additional features beyond basic request-response.
| Field | Required | Purpose | Example |
|---|---|---|---|
| url | Yes | The server's HTTP endpoint URL | https://mcp.example.com/ecommerce/v2 |
| sessionManagement | No | Whether the server maintains stateful sessions | enabled: true |
| sseSupport | No | Server-Sent Events capabilities | serverInitiatedMessages: true, resumability: true |
{
"type": "streamable-http",
"url": "https://mcp.example.com/ecommerce/v2",
"sessionManagement": {
"enabled": true,
"description": "Sessions persist for 30 minutes of inactivity"
},
"sseSupport": {
"serverInitiatedMessages": true,
"resumability": true
}
}Multiple Transports
A server can offer both transport types. This is common when the same server supports local development via stdio and production deployment via HTTP. Document both transports and note when each is appropriate.
Authentication
MCP authentication is configured at the server level and applies to all tools, resources, and prompts. NeoArc supports three authentication methods that can be used individually or in combination.
OAuth 2.1
OAuth 2.1 is the MCP specification's recommended authentication method for HTTP transports. NeoArc documents the full OAuth configuration so clients can automate the token exchange flow.
| Field | Purpose |
|---|---|
| Protected Resource Metadata URL | URL where the server publishes its resource metadata (RFC 9728) |
| Authorization Server URL | Base URL of the OAuth authorization server |
| Token Endpoint | URL to exchange authorization codes for access tokens |
| Authorization Endpoint | URL where users authenticate and grant permissions |
| PKCE Required | Whether Proof Key for Code Exchange is mandatory (recommended: true) |
| Dynamic Client Registration | Whether clients can register themselves automatically |
| Scopes | Named permission levels with descriptions |
API Key and Bearer Token
For simpler authentication requirements, MCP servers can accept API keys or bearer tokens via HTTP headers.
| Method | Header | Use Case |
|---|---|---|
| API Key | Custom header (e.g. X-API-Key) | Server-to-server integration, internal services |
| Bearer Token | Authorization: Bearer {token} | Pre-issued tokens, service accounts, CI/CD pipelines |
Environment Variable Authentication
For stdio transports, credentials are typically passed as environment variables. Each variable is documented with its name, description, whether it is required, and an example value.
{
"envAuth": [
{
"variableName": "ECOMMERCE_API_KEY",
"description": "API key for the e-commerce platform",
"required": true,
"example": "ek_live_abc123..."
},
{
"variableName": "ECOMMERCE_REGION",
"description": "Deployment region (affects API endpoint selection)",
"required": false,
"example": "eu-west-1"
}
]
}Combining Transports and Authentication
The transport and authentication configuration work together. Here are common combinations.
| Transport | Auth Method | Scenario |
|---|---|---|
| stdio | Environment variables | Local development with API key in .env file |
| stdio | None | Fully self-contained server with no external dependencies |
| Streamable HTTP | OAuth 2.1 | Production cloud service with user-level permissions |
| Streamable HTTP | Bearer token | Internal service with pre-shared service account token |
| Both | OAuth 2.1 + Environment | Development (stdio with env vars) and production (HTTP with OAuth) |
Sampling
Sampling allows the MCP server to request LLM completions through the client. This is an advanced capability where the server asks the AI to generate text, analyse data, or make decisions as part of a tool execution.
Related Guides
Understand the Model Context Protocol and how NeoArc Studio documents MCP servers. Learn about the three primitives (tools, resources, prompts), transport modes, authentication, and how MCP fits into your architecture documentation workflow.
Import existing MCP server manifests into NeoArc Studio and export your documented servers as standard JSON. Understand the file format, directory conventions, and how NeoArc maps MCP primitives to its internal data model.