Model Context Protocol (MCP) Server + Google OAuth + Analytics

This is a Model Context Protocol (MCP) server that supports remote MCP connections, with Google OAuth built-in and comprehensive analytics tracking.

You can deploy it to your own Cloudflare account, and after you create your own Google Cloud OAuth client app, you'll have a fully functional remote MCP server with automatic analytics tracking that you can build off. Users will be able to connect to your MCP server by signing in with their Google account, while you get detailed insights into tool usage, performance, and user behavior.

You can use this as a reference example for how to integrate other OAuth providers with an MCP server deployed to Cloudflare, using the workers-oauth-provider library and mcp-analytics for comprehensive tracking.

The MCP server (powered by Cloudflare Workers):

• Acts as OAuth Server to your MCP clients
• Acts as OAuth Client to your real OAuth server (in this case, Google)
• Automatically tracks tool usage, performance metrics, and user behavior

Analytics Features

This server includes automatic analytics tracking via the mcp-analytics SDK:

✅ Tool execution time - How long each tool takes to run
✅ Success/failure status - Which tools succeed or fail
✅ Input parameters - What data users provide (sensitive data auto-redacted)
✅ Tool results - Output data from tool executions (automatically sanitized)
✅ Error details - Full error information when tools fail
✅ User information - Automatic user identification from OAuth props
✅ Session tracking - Group tool calls by user session
✅ Server metadata - Server name and version automatically detected

Getting Started

Clone the repo & install dependencies: npm install

For Production

Create a new Google Cloud OAuth App:

• For the Homepage URL, specify https://mcp-google-oauth.<your-subdomain>.workers.dev
• For the Authorization callback URL, specify https://mcp-google-oauth.<your-subdomain>.workers.dev/callback
• Note your Client ID and generate a Client secret.
• Set secrets via Wrangler

wrangler secret put GOOGLE_CLIENT_ID
wrangler secret put GOOGLE_CLIENT_SECRET
wrangler secret put COOKIE_ENCRYPTION_KEY # add any random string here e.g. openssl rand -hex 32
wrangler secret put HOSTED_DOMAIN # optional: use this when restrict google account domain
wrangler secret put MCP_ANALYTICS_API_KEY # your analytics API key from mcpanalytics.dev

Set up a KV namespace

• Create the KV namespace: wrangler kv:namespace create "OAUTH_KV"
• Update the Wrangler file with the KV ID

Deploy & Test

Deploy the MCP server to make it available on your workers.dev domain wrangler deploy

Test the remote server using MCP Playground:

1. Visit mcpsplayground.com
2. Enter your server URL: https://mcp-google-oauth.<your-subdomain>.workers.dev/sse
3. Click "Connect" and complete the Google OAuth authentication flow
4. Once authenticated, you'll see your tools available in the playground interface
5. Test the "add" tool by providing two numbers and see the results with automatic analytics tracking

Alternatively, you can also test using the traditional Inspector:

npx @modelcontextprotocol/inspector@latest

<img width="640" alt="image" src="https://github.com/user-attachments/assets/7973f392-0a9d-4712-b679-6dd23f824287" />

You now have a remote MCP server deployed with comprehensive analytics!

Access Control

This MCP server uses Google Cloud OAuth for authentication. All authenticated Google users can access basic tools like "add". When you restrict users with hosted domain, set HOSTED_DOMAIN env.

Access the remote MCP server from Claude Desktop

Open Claude Desktop and navigate to Settings -> Developer -> Edit Config. This opens the configuration file that controls which MCP servers Claude can access.

Replace the content with the following configuration. Once you restart Claude Desktop, a browser window will open showing your OAuth login page. Complete the authentication flow to grant Claude access to your MCP server. After you grant access, the tools will become available for you to use.

{
  "mcpServers": {
    "math": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp-google-oauth.<your-subdomain>.workers.dev/sse"
      ]
    }
  }
}

Once the Tools (under 🔨) show up in the interface, you can ask Claude to use them. For example: "Could you use the math tool to add 23 and 19?". Claude should invoke the tool and show the result generated by the MCP server, with all interactions automatically tracked in your analytics dashboard.

For Local Development

If you'd like to iterate and test your MCP server, you can do so in local development. This will require you to create another OAuth App on Google Cloud:

• For the Homepage URL, specify http://localhost:8788
• For the Authorization callback URL, specify http://localhost:8788/callback
• Note your Client ID and generate a Client secret.
• Create a .dev.vars file in your project root with:

GOOGLE_CLIENT_ID=your_development_google_cloud_oauth_client_id
GOOGLE_CLIENT_SECRET=your_development_google_cloud_oauth_client_secret
MCP_ANALYTICS_API_KEY=your_analytics_api_key

Develop & Test

Run the server locally to make it available at http://localhost:8788 wrangler dev

To test the local server, enter http://localhost:8788/sse into Inspector and hit connect. Once you follow the prompts, you'll be able to "List Tools" with analytics tracking enabled.

Using Claude and other MCP Clients

When using Claude to connect to your remote MCP server, you may see some error messages. This is because Claude Desktop doesn't yet support remote MCP servers, so it sometimes gets confused. To verify whether the MCP server is connected, hover over the 🔨 icon in the bottom right corner of Claude's interface. You should see your tools available there.

Using Cursor and other MCP Clients

To connect Cursor with your MCP server, choose Type: "Command" and in the Command field, combine the command and args fields into one (e.g. npx mcp-remote https://<your-worker-name>.<your-subdomain>.workers.dev/sse).

Note that while Cursor supports HTTP+SSE servers, it doesn't support authentication, so you still need to use mcp-remote (and to use a STDIO server, not an HTTP one).

You can connect your MCP server to other MCP clients like Windsurf by opening the client's configuration file, adding the same JSON that was used for the Claude setup, and restarting the MCP client.

How does it work?

OAuth Provider

The OAuth Provider library serves as a complete OAuth 2.1 server implementation for Cloudflare Workers. It handles the complexities of the OAuth flow, including token issuance, validation, and management. In this project, it plays the dual role of:

• Authenticating MCP clients that connect to your server
• Managing the connection to Google Cloud's OAuth services
• Securely storing tokens and authentication state in KV storage

Durable MCP with Analytics

Durable MCP extends the base MCP functionality with Cloudflare's Durable Objects and analytics tracking, providing:

• Persistent state management for your MCP server
• Secure storage of authentication context between requests
• Access to authenticated user information via this.props
• Support for conditional tool availability based on user identity
• Automatic analytics tracking of all tool usage with user context
• Performance metrics and error monitoring
• Comprehensive insights into user behavior and tool effectiveness

MCP Remote

The MCP Remote library enables your server to expose tools that can be invoked by MCP clients like the Inspector. It:

• Defines the protocol for communication between clients and your server
• Provides a structured way to define tools
• Handles serialization and deserialization of requests and responses
• Maintains the Server-Sent Events (SSE) connection between clients and your server

Analytics Dashboard

Visit mcpanalytics.dev to view your analytics dashboard and gain insights into:

• Tool usage patterns and popularity
• User engagement and session analytics
• Performance metrics and bottlenecks
• Error rates and failure analysis
• Success/failure trends over time