DEV Community: Adrin T Paul The latest articles on DEV Community by Adrin T Paul (@themechbro). https://dev.to/themechbro https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3947741%2F26a0631a-94ed-4cc3-84cc-441d7c83f5bb.jpeg DEV Community: Adrin T Paul https://dev.to/themechbro en A user's terminal opened a code editor instead of running my CLI tool. Adrin T Paul Tue, 23 Jun 2026 09:31:27 +0000 https://dev.to/themechbro/a-users-terminal-opened-a-code-editor-instead-of-running-my-cli-tool-3lfp https://dev.to/themechbro/a-users-terminal-opened-a-code-editor-instead-of-running-my-cli-tool-3lfp <p>No error. No crash log. Just... my .js file, popped open in an IDE, like the computer decided to "take a look" instead of executing it.</p> <p>Here's what actually happened.</p> <p>*<em>I built an MCP server — promptbuilder-mcp — so Claude Desktop and Cursor can pull prompt components straight from my vault. Published it to npm. Tested it. Worked perfectly on my machine.<br> *</em><br> Then a Windows user installed it globally and ran:</p> <p>promptbuilder-mcp --key pb_xxxx</p> <p>Their terminal printed a warning about "Electron/Chromium" not recognizing the --key flag. Then their code editor opened. Then nothing.</p> <p>My first instinct: PATH conflict. Some other tool hijacking the command. I had them run Get-Command — clean, it pointed straight at my own npm shim. Not a conflict.</p> <p>So I read the shim npm had generated for Windows:</p> <p><code>&amp; "$basedir/node_modules/promptbuilder-mcp/bin/promptbuilder-mcp.js" $args</code></p> <p>*<em>No node executable in that line. Just the .js file, called directly.<br> *</em><br> <em>On Windows, .js files have no native way to execute themselves. There's no shebang interpretation at the OS level like on Linux/Mac. So when PowerShell hit a file it couldn't run, it fell back to whatever app Windows had associated with .js — which on that machine happened to be an Electron-based editor.</em></p> <p>That explained everything. The "Electron/Chromium" warning. The editor opening. All of it.</p> <p>*<em>But why would npm generate a broken shim in the first place?<br> *</em><br> _npm's shim generator (cmd-shim) decides which template to use by checking for a shebang line at the top of your bin file — #!/usr/bin/env node. If it finds one, it builds a proper shim that calls node explicitly. If it doesn't, it falls back to the broken "just run the file" template.</p> <p>I checked my bin file with a hex dump:</p> <p>69 6D 70 6F 72 74 20 7B 20 73 → "import { s..."</p> <p>No shebang. The file started directly with my import statement. I'd never added one — because on Mac and Linux, npm CLI tools often work fine without it, since those shells handle execution differently._</p> <p>The fix was one line:</p> <p><code>#!/usr/bin/env node<br> import { startServer } from "../src/index.js";</code></p> <p>Republished. Reinstalled clean on Windows. The shim regenerated correctly. The server ran.</p> <p>The part that stuck with me: this had been broken since the very first publish. Every Windows user who installed it globally hit this — silently, with no error pointing anywhere near the real cause. "It works on my machine" is true and also completely useless when your machine was never the one that mattered.</p> <p>Cross-platform testing isn't a checkbox. It's the only way bugs like this surface before a real user finds them for you.</p> <p>If you've shipped a CLI tool — have you tested the literal install path a stranger would take, on every OS you claim to support? Not the dev shortcut. The real one.</p> <h1> buildinpublic #mcp #softwareengineering #debugging #npm </h1> cli javascript mcp node I thought building an MCP server was the hard part. It wasn't. Adrin T Paul Mon, 01 Jun 2026 02:30:00 +0000 https://dev.to/themechbro/i-thought-building-an-mcp-server-was-the-hard-part-it-wasnt-4c87 https://dev.to/themechbro/i-thought-building-an-mcp-server-was-the-hard-part-it-wasnt-4c87 <p>Last month I published <a href="https://www.npmjs.com/package/promptbuilder-mcp" rel="noopener noreferrer"><code>promptbuilder-mcp</code></a> — an MCP server that lets Claude Desktop and Cursor pull prompt components directly from <a href="https://promptbuilder-five.vercel.app/<br>%0A![%20](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/07pbj08vh7emovqhty4l.png)" rel="noopener noreferrer">Prompt Builder</a>, a component-based prompt IDE I've been building.</p> <p>The MCP protocol side took a weekend. The auth problem took much longer and taught me more. This is what I learned.</p> <h2> What I was building </h2> <p>Prompt Builder lets you assemble prompts from reusable components — personas, protocols, formats, templates — stored in a Supabase database. Users can browse a public vault, create private components, and compile everything into structured prompts.</p> <p>The idea with the MCP server was simple: instead of opening the browser, a user should be able to type "fetch my personas from Prompt Builder" inside Claude Desktop and get them back as tool results.</p> <p>Simple idea. The implementation had one problem I didn't see coming.</p> <h2> The assumption that broke everything </h2> <p>My initial mental model was wrong.</p> <p>I assumed the MCP server would somehow inherit the user's existing session — that because the user was logged into Prompt Builder in their browser, the MCP server running on their machine could just... talk to the API and get their data.</p> <p>That's not how it works at all.</p> <p>The MCP server is a separate process running via stdio on the user's machine. It has no browser. It has no cookies. It has no session. When it makes an HTTP request to my API, it's completely unauthenticated by default.</p> <p>This became obvious immediately when I tested it. The server connected fine. Tool registration worked. But every data request came back empty — because all my Supabase tables had Row Level Security enabled, and every query was scoped to <code>auth.uid()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- This policy meant unauthenticated requests got zero rows</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="nv">"Users can read own components"</span> <span class="k">ON</span> <span class="n">components</span> <span class="k">FOR</span> <span class="k">SELECT</span> <span class="k">USING</span> <span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="o">=</span> <span class="n">user_id</span> <span class="k">OR</span> <span class="n">is_public</span> <span class="o">=</span> <span class="k">true</span><span class="p">);</span> </code></pre> </div> <p>Public components came through fine. Private ones — the user's own vault — returned nothing. No error. Just empty arrays. That was actually worse than an error because it took me a while to understand why.</p> <h2> Why I couldn't use Supabase Auth directly </h2> <p>The obvious fix seemed to be: pass the user's Supabase JWT into the MCP server config.</p> <p>The problem with that is Supabase JWTs expire. A user would configure their MCP server with a token, it would work for an hour, then silently stop returning private data again. That's a terrible experience. You'd also be asking users to paste a raw JWT into a config file, which is not something you want to encourage.</p> <p>I needed something purpose-built for this use case — long-lived, revocable, read-only, and not tied to the session system.</p> <h2> Building the API key system </h2> <p>I built a dedicated <code>api_keys</code> table in Supabase:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">api_keys</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">user_id</span> <span class="n">uuid</span> <span class="k">REFERENCES</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">ON</span> <span class="k">DELETE</span> <span class="k">CASCADE</span><span class="p">,</span> <span class="n">name</span> <span class="nb">text</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">key_hash</span> <span class="nb">text</span> <span class="k">UNIQUE</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">key_prefix</span> <span class="nb">text</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">scopes</span> <span class="nb">text</span><span class="p">[]</span> <span class="k">DEFAULT</span> <span class="s1">'{}'</span><span class="p">,</span> <span class="n">last_used_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">created_at</span> <span class="n">timestamptz</span> <span class="k">DEFAULT</span> <span class="n">now</span><span class="p">(),</span> <span class="n">expires_at</span> <span class="n">timestamptz</span><span class="p">,</span> <span class="n">is_active</span> <span class="nb">boolean</span> <span class="k">DEFAULT</span> <span class="k">true</span> <span class="p">);</span> </code></pre> </div> <p>The key format is <code>pb_</code> followed by 32 random hex characters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// utils/apiKeyHelper.js</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">generateRawKey</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">array</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="mi">16</span><span class="p">);</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">getRandomValues</span><span class="p">(</span><span class="nx">array</span><span class="p">);</span> <span class="k">return</span> <span class="dl">"</span><span class="s2">pb_</span><span class="dl">"</span> <span class="o">+</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">array</span><span class="p">)</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">b</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">).</span><span class="nf">padStart</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">hashKey</span><span class="p">(</span><span class="nx">rawKey</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">encoder</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TextEncoder</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">encoder</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="nx">rawKey</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">hashBuf</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">subtle</span><span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">"</span><span class="s2">SHA-256</span><span class="dl">"</span><span class="p">,</span> <span class="nx">data</span><span class="p">);</span> <span class="k">return</span> <span class="nb">Array</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="k">new</span> <span class="nc">Uint8Array</span><span class="p">(</span><span class="nx">hashBuf</span><span class="p">))</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">b</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="mi">16</span><span class="p">).</span><span class="nf">padStart</span><span class="p">(</span><span class="mi">2</span><span class="p">,</span> <span class="dl">"</span><span class="s2">0</span><span class="dl">"</span><span class="p">))</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">""</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The raw key is shown to the user exactly once and never stored. Only the SHA-256 hash lives in the database. On every MCP request, I hash the incoming Bearer token and compare it against the stored hash.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// utils/apiKeyHelper.js</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">verifyApiKey</span><span class="p">(</span><span class="nx">rawKey</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">hashKey</span><span class="p">(</span><span class="nx">rawKey</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">"</span><span class="s2">api_keys</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">"</span><span class="s2">user_id, scopes, is_active</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">key_hash</span><span class="dl">"</span><span class="p">,</span> <span class="nx">hash</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">is_active</span><span class="dl">"</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span> <span class="o">||</span> <span class="o">!</span><span class="nx">data</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// Update last_used_at without blocking the response</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">"</span><span class="s2">api_keys</span><span class="dl">"</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">last_used_at</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">})</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">key_hash</span><span class="dl">"</span><span class="p">,</span> <span class="nx">hash</span><span class="p">);</span> <span class="k">return</span> <span class="nx">data</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Scopes in v1 are <code>components:read</code> and <code>packs:read</code> — read-only access only. Creating or editing components requires a logged-in browser session, not an API key.</p> <h2> The MCP endpoints </h2> <p>With auth solved, the MCP endpoints are straightforward. All four are GET routes that verify the Bearer token, resolve the <code>user_id</code>, and query Supabase with that context:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /api/mcp/components — list/search by type and query GET /api/mcp/components/[id] — fetch single component GET /api/mcp/packs — list/search by category GET /api/mcp/packs/[id] — fetch pack with all components resolved </span></code></pre> </div> <p>The <code>packs/[id]</code> endpoint is worth calling out. A pack contains an array of component IDs. Rather than making the MCP client do N follow-up requests to resolve each component, this endpoint resolves everything in a single call and returns the full component content inline. That matters for MCP because each tool call has latency — fewer calls is always better.</p> <h2> The MCP server itself </h2> <p>The server uses the <code>@modelcontextprotocol/sdk</code> with stdio transport. Five tools, one HTTP client, straightforward registration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/index.js</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">McpServer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/server/mcp.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">StdioServerTransport</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@modelcontextprotocol/sdk/server/stdio.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./client.js</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createServer</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">McpServer</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">promptbuilder</span><span class="dl">"</span><span class="p">,</span> <span class="na">version</span><span class="p">:</span> <span class="dl">"</span><span class="s2">1.0.0</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nf">createClient</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">);</span> <span class="nx">server</span><span class="p">.</span><span class="nf">tool</span><span class="p">(</span> <span class="dl">"</span><span class="s2">list_components</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">List prompt components by type with optional name search</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">"</span><span class="s2">persona</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">protocol</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">format</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">template</span><span class="dl">"</span><span class="p">]).</span><span class="nf">optional</span><span class="p">(),</span> <span class="na">query</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">optional</span><span class="p">(),</span> <span class="p">},</span> <span class="k">async </span><span class="p">({</span> <span class="nx">type</span><span class="p">,</span> <span class="nx">query</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">listComponents</span><span class="p">({</span> <span class="nx">type</span><span class="p">,</span> <span class="nx">query</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">,</span> <span class="na">text</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">)</span> <span class="p">}],</span> <span class="p">};</span> <span class="p">}</span> <span class="p">);</span> <span class="c1">// ... get_component, search_components, list_packs, get_pack</span> <span class="k">return</span> <span class="nx">server</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>The transport setup is three lines:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">server</span> <span class="o">=</span> <span class="nf">createServer</span><span class="p">(</span><span class="nx">apiKey</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">transport</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StdioServerTransport</span><span class="p">();</span> <span class="k">await</span> <span class="nx">server</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="nx">transport</span><span class="p">);</span> </code></pre> </div> <h2> What it looks like from inside Claude Desktop </h2> <p>This is the part that made it feel real.</p> <p>After a user generates an API key in <code>/settings</code> and adds the config to <code>claude_desktop_config.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"mcpServers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"promptbuilder"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"npx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"-y"</span><span class="p">,</span><span class="w"> </span><span class="s2">"promptbuilder-mcp"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--key"</span><span class="p">,</span><span class="w"> </span><span class="s2">"pb_your_key_here"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>They can then type inside Claude Desktop:</p> <blockquote> <p>"Fetch my personas from Prompt Builder and write me a customer support response using the Customer Support Specialist persona."</p> </blockquote> <p>Claude calls <code>list_components</code> with <code>type: "persona"</code>, gets the user's specific personas back, and uses the content directly in its response. The user never left the chat window.</p> <p>That's the whole point of MCP — your tools become Claude's tools.</p> <h2> What I'd do differently </h2> <p><strong>Start with auth design, not protocol implementation.</strong> I spent time on the MCP SDK before I'd thought through how a stateless process authenticates against a user-scoped database. Get the auth model right first.</p> <p><strong>Hash on the server, not the client.</strong> Early versions hashed the key in the browser before sending. That's wrong — hash on the server when verifying, compare against the stored hash. Simpler and correct.</p> <p><strong>Return everything in one call where possible.</strong> The <code>get_pack</code> endpoint that resolves component IDs inline was an afterthought. It should have been the first thing I built because multiple round-trips in MCP are slow.</p> <h2> Links </h2> <ul> <li>Live: <a href="https://promptbuilder-five.vercel.app/" rel="noopener noreferrer">promptbuilder</a> </li> <li>npm: <a href="https://www.npmjs.com/package/promptbuilder-mcp" rel="noopener noreferrer">npmjs.com/package/promptbuilder-mcp</a> </li> <li>GitHub: <a href="https://github.com/themechbro/promptbuilder" rel="noopener noreferrer">github.com/themechbro/promptbuilder</a> </li> <li>MCP server repo: <a href="https://github.com/themechbro/promptbuilder-mcp" rel="noopener noreferrer">github.com/themechbro/promptbuilder-mcp</a> If you're building an MCP server that needs to talk to user-scoped data, the auth design is where you should spend your time first.</li> </ul> mcp nextjs webdev opensource