This MCP server ships with a streamlined Openbridge authentication flow focused on local deployments. Key security behaviors:

The server supports two authentication modes:

Server-side authentication:

• OPENBRIDGE_REFRESH_TOKEN (optional) is exchanged for a JWT on demand and cached in memory only; no file persistence.
• CRITICAL: Never commit OPENBRIDGE_REFRESH_TOKEN to version control. Store it only in your local .env file (gitignored).
• Failures to convert the refresh token raise an AuthenticationError. The server never falls back to sending the refresh token downstream.

Client-side authentication:

• Clients can provide Authorization: Bearer <token> headers directly.
• Client-provided tokens take precedence over server-side tokens.
• The server extracts client tokens from HTTP headers and uses them for API calls.
• IMPORTANT: Client tokens should also never be committed to version control. Pass them via environment variables in client configurations.

General:

• Logs redact bearer values. Debug instrumentation reports token length instead of full contents.
• Server starts successfully without OPENBRIDGE_REFRESH_TOKEN, enabling pure client-side authentication deployments.

• All HTTP requests use explicit (connect=10s, read=OPENBRIDGE_API_TIMEOUT) timeouts so an upstream stall cannot hang the MCP indefinitely.
• Pagination helpers enforce host allowlists to reduce SSRF risk when following links.next responses.

• SQL text is only sent to an LLM when OPENBRIDGE_ENABLE_LLM_VALIDATION=true. By default the server evaluates queries with heuristics only.

When deploying this MCP server:

1. Never commit secrets: Ensure .env is in .gitignore and never committed
2. Rotate tokens regularly: Refresh your OPENBRIDGE_REFRESH_TOKEN periodically
3. Use environment variables: Store all sensitive configuration in environment variables, never hardcode in source files
4. Review logs carefully: Verify logs don't expose sensitive data before sharing or storing long-term
5. Keep dependencies updated: Regularly update Python packages to address known vulnerabilities

We take security vulnerabilities seriously. If you discover a security issue:

1. Do NOT open a public GitHub issue
2. Email your findings to: support@openbridge.com
3. Include:
   • Detailed description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact assessment
   • Suggested remediation (if available)

We will acknowledge receipt within 48 hours and provide a timeline for remediation. We appreciate responsible disclosure and will credit researchers (with permission) in security advisories.

Review the README for configuration details before deploying in your own environment.