DEV Community: Adrin T Paul The latest articles on DEV Community by Adrin T Paul (@themechbro). https://dev.to/themechbro https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3947741%2F26a0631a-94ed-4cc3-84cc-441d7c83f5bb.jpeg DEV Community: Adrin T Paul https://dev.to/themechbro en I thought building an MCP server was the hard part. It wasn't. Adrin T Paul Mon, 01 Jun 2026 02:30:00 +0000 https://dev.to/themechbro/i-thought-building-an-mcp-server-was-the-hard-part-it-wasnt-4c87 https://dev.to/themechbro/i-thought-building-an-mcp-server-was-the-hard-part-it-wasnt-4c87 <p>Last month I published <a href="https://www.npmjs.com/package/promptbuilder-mcp" rel="noopener noreferrer"><code>promptbuilder-mcp</code></a> — an MCP server that lets Claude Desktop and Cursor pull prompt components directly from <a href="https://promptbuilder-five.vercel.app/&lt;br&gt;%0A![%20](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/07pbj08vh7emovqhty4l.png)" rel="noopener noreferrer">Prompt Builder</a>, a component-based prompt IDE I've been building.</p> <p>The MCP protocol side took a weekend. The auth problem took much longer and taught me more. This is what I learned.</p> <h2> What I was building </h2> <p>Prompt Builder lets you assemble prompts from reusable components — personas, protocols, formats, templates — stored in a Supabase database. Users can browse a public vault, create private components, and compile everything into structured prompts.</p> <p>The idea with the MCP server was simple: instead of opening the browser, a user should be able to type "fetch my personas from Prompt Builder" inside Claude Desktop and get them back as tool results.</p> <p>Simple idea. The implementation had one problem I didn't see coming.</p> <h2> The assumption that broke everything </h2> <p>My initial mental model was wrong.</p> <p>I assumed the MCP server would somehow inherit the user's existing session — that because the user was logged into Prompt Builder in their browser, the MCP server running on their machine could just... talk to the API and get their data.</p> <p>That's not how it works at all.</p> <p>The MCP server is a separate process running via stdio on the user's machine. It has no browser. It has no cookies. It has no session. When it makes an HTTP request to my API, it's completely unauthenticated by default.</p> <p>This became obvious immediately when I tested it. The server connected fine. Tool registration worked. But every data request came back empty — because all my Supabase tables had Row Level Security enabled, and every query was scoped to <code>auth.uid()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- This policy meant unauthenticated requests got zero rows</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can read own components"</span> <span class="k">ON</span> <span class="n">components</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span> <span class="k">OR</span> <span class="n">is_public</span> <span class="o">=</span> <span class="k">true</span><span class="p">);</span> </code></pre> </div> <p>Public components came through fine. Private ones — the user's own vault — returned nothing. No error. Just empty arrays. That was actually worse than an error because it took me a while to understand why.</p> <h2> Why I couldn't use Supabase Auth directly </h2> <p>The obvious fix seemed to be: pass the user's Supabase JWT into the MCP server config.</p> <p>The problem with that is Supabase JWTs expire. A user would configure their MCP server with a token, it would work for an hour, then silently stop returning private data again. That's a terrible experience. You'd also be asking users to paste a raw JWT into a config file, which is not something you want to encourage.</p> <p>I needed something purpose-built for this use case — long-lived, revocable, read-only, and not tied to the session system.</p> <h2> Building the API key system </h2> <p>I built a dedicated <code>api_keys</code> table in Supabase:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">api_keys</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">user_id</span> <span class="n">uuid</span> <span class="k">REFERENCES</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">ON</span> <span class="k">DELETE</span> <span class="k">CASCADE</span><span class="p">,</span> <span class="n">name</span> <span class="nb">text</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">key_hash</span> <span class="nb">text</span> <span class="k">UNIQUE</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">key_prefix</span> <span class="nb">text</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">scopes</span> <span class="nb">text</span><span class="p">[]</span> <span class="k">DEFAULT</span> <span class="s1">'{}'</span><span class="p">,</span> <span class="n">last_used_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">DEFAULT</span> <span class="n">now</span><span class="p">(),</span> <span class="n">expires_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">is_active</span> <span class="nb">boolean</span> <span class="k">DEFAULT</span> <span class="k">true</span> <span class="p">);</span> </code></pre> </div> <p>The key format is <code>pb_</code> followed by 32 random hex characters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// utils/apiKeyHelper.js</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">generateRawKey</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">array</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">16</span><span class="p">);</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="nx">array</span><span class="p">);</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">pb_</span><span class="dl">"</span> <span class="o">+</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">array</span><span class="p">)</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">b</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">).</span><span class="nf">padStart</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">hashKey</span><span class="p">(</span><span class="nx">rawKey</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">encoder</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">encoder</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="nx">rawKey</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">hashBuf</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">SHA-256</span><span class="dl">"</span><span class="p">,</span> <span class="nx">data</span><span class="p">);</span> <span class="k">return</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">hashBuf</span><span class="p">))</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">b</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">).</span><span class="nf">padStart</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The raw key is shown to the user exactly once and never stored. Only the SHA-256 hash lives in the database. On every MCP request, I hash the incoming Bearer token and compare it against the stored hash.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// utils/apiKeyHelper.js</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">verifyApiKey</span><span class="p">(</span><span class="nx">rawKey</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">hashKey</span><span class="p">(</span><span class="nx">rawKey</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">"</span><span class="s2">api_keys</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">user_id, scopes, is_active</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">key_hash</span><span class="dl">"</span><span class="p">,</span> <span class="nx">hash</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">is_active</span><span class="dl">"</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span> <span class="o">||</span> <span class="o">!</span><span class="nx">data</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// Update last_used_at without blocking the response</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">"</span><span class="s2">api_keys</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">last_used_at</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">})</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">key_hash</span><span class="dl">"</span><span class="p">,</span> <span class="nx">hash</span><span class="p">);</span> <span class="k">return</span> <span class="nx">data</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Scopes in v1 are <code>components:read</code> and <code>packs:read</code> — read-only access only. Creating or editing components requires a logged-in browser session, not an API key.</p> <h2> The MCP endpoints </h2> <p>With auth solved, the MCP endpoints are straightforward. All four are GET routes that verify the Bearer token, resolve the <code>user_id</code>, and query Supabase with that context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /api/mcp/components — list/search by type and query GET /api/mcp/components/[id] — fetch single component GET /api/mcp/packs — list/search by category GET /api/mcp/packs/[id] — fetch pack with all components resolved </span></code></pre> </div> <p>The <code>packs/[id]</code> endpoint is worth calling out. A pack contains an array of component IDs. Rather than making the MCP client do N follow-up requests to resolve each component, this endpoint resolves everything in a single call and returns the full component content inline. That matters for MCP because each tool call has latency — fewer calls is always better.</p> <h2> The MCP server itself </h2> <p>The server uses the <code>@modelcontextprotocol/sdk</code> with stdio transport. Five tools, one HTTP client, straightforward registration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/index.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">McpServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/server/mcp.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">StdioServerTransport</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/server/stdio.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./client.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createServer</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">McpServer</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">promptbuilder</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1.0.0</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">);</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span> <span class="dl">"</span><span class="s2">list_components</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">List prompt components by type with optional name search</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">"</span><span class="s2">persona</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">protocol</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">format</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">template</span><span class="dl">"</span><span class="p">]).</span><span class="nf">optional</span><span class="p">(),</span> <span class="na">query</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">optional</span><span class="p">(),</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">type</span><span class="p">,</span> <span class="nx">query</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">listComponents</span><span class="p">({</span> <span class="nx">type</span><span class="p">,</span> <span class="nx">query</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="p">}],</span> <span class="p">};</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// ... get_component, search_components, list_packs, get_pack</span> <span class="k">return</span> <span class="nx">server</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The transport setup is three lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nf">createServer</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">transport</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StdioServerTransport</span><span class="p">();</span> <span class="k">await</span> <span class="nx">server</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="nx">transport</span><span class="p">);</span> </code></pre> </div> <h2> What it looks like from inside Claude Desktop </h2> <p>This is the part that made it feel real.</p> <p>After a user generates an API key in <code>/settings</code> and adds the config to <code>claude_desktop_config.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"promptbuilder"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"-y"</span><span class="p">,</span><span class="w"> </span><span class="s2">"promptbuilder-mcp"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--key"</span><span class="p">,</span><span class="w"> </span><span class="s2">"pb_your_key_here"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>They can then type inside Claude Desktop:</p> <blockquote> <p>"Fetch my personas from Prompt Builder and write me a customer support response using the Customer Support Specialist persona."</p> </blockquote> <p>Claude calls <code>list_components</code> with <code>type: "persona"</code>, gets the user's specific personas back, and uses the content directly in its response. The user never left the chat window.</p> <p>That's the whole point of MCP — your tools become Claude's tools.</p> <h2> What I'd do differently </h2> <p><strong>Start with auth design, not protocol implementation.</strong> I spent time on the MCP SDK before I'd thought through how a stateless process authenticates against a user-scoped database. Get the auth model right first.</p> <p><strong>Hash on the server, not the client.</strong> Early versions hashed the key in the browser before sending. That's wrong — hash on the server when verifying, compare against the stored hash. Simpler and correct.</p> <p><strong>Return everything in one call where possible.</strong> The <code>get_pack</code> endpoint that resolves component IDs inline was an afterthought. It should have been the first thing I built because multiple round-trips in MCP are slow.</p> <h2> Links </h2> <ul> <li>Live: <a href="https://promptbuilder-five.vercel.app/" rel="noopener noreferrer">promptbuilder</a> </li> <li>npm: <a href="https://www.npmjs.com/package/promptbuilder-mcp" rel="noopener noreferrer">npmjs.com/package/promptbuilder-mcp</a> </li> <li>GitHub: <a href="https://github.com/themechbro/promptbuilder" rel="noopener noreferrer">github.com/themechbro/promptbuilder</a> </li> <li>MCP server repo: <a href="https://github.com/themechbro/promptbuilder-mcp" rel="noopener noreferrer">github.com/themechbro/promptbuilder-mcp</a> If you're building an MCP server that needs to talk to user-scoped data, the auth design is where you should spend your time first.</li> </ul> mcp nextjs webdev opensource