bee-ai-auth-mcp

Home / Set up

Self-host guide

Run your own instance.

About fifteen minutes. You'll need a Cloudflare account, the wrangler CLI, a Bee API token from the Bee app, and a GitHub account. Your Bee token never leaves your own deployment.

  1. Clone and install

    # grab the code, install dependencies
git clone https://github.com/klappy/bee-ai-auth-mcp
cd bee-ai-auth-mcp && npm install

  2. Create the grant store

    One KV namespace holds the encrypted OAuth grants. Paste the id it prints into wrangler.jsonc under the OAUTH_KV binding, replacing the placeholder.

    wrangler kv namespace create OAUTH_KV

  3. Register a GitHub OAuth App

    GitHub → Settings → Developer settings → OAuth Apps → New OAuth App. This is the identity provider for the login leg.

    Application name
    Anything, e.g. bee-ai-auth-mcp
    Homepage URL
    https://<your-worker>
    Callback URL
    https://<your-worker>/callback — must be exact

    Register, copy the Client ID, and generate a Client secret. Store both as Worker secrets:

    wrangler secret put GITHUB_CLIENT_ID
wrangler secret put GITHUB_CLIENT_SECRET

    OAuth App, not GitHub App

    GitHub offers two things under Developer settings. Pick OAuth Apps — bee only reads your login, so it doesn't need a GitHub App's installations, permissions, or webhooks.

  4. Add your Bee token

    Your own Bee bearer, from the Bee app. Stored as a secret — never committed, never logged.

    wrangler secret put BEE_API_TOKEN

  5. Set your two config values

    In wrangler.jsonc set ALLOWED_GITHUB_LOGIN to your GitHub username (the instance denies every login until you do) and BEE_API_BASE to Bee's API host.

    Keep these in the file

    These are config vars, not secrets — a dashboard value gets reset to the file's value on every deploy. Set them in wrangler.jsonc so they stick. (Secrets, by contrast, persist across deploys.)

  6. Deploy

    Ship it. If you use Cloudflare's Git integration, a push deploys automatically — no flags needed.

    npm run deploy

  7. Connect and check

    Add your worker URL as a custom connector in Claude, approve the GitHub login, then run the whoami tool. Identity works immediately; the Bee call depends on the reachability check below.

Troubleshooting

Clicking "Connect" 404s on GitHub

The relay is redirecting to GitHub with an empty client_id — meaning GITHUB_CLIENT_ID isn't set. Set the two GitHub secrets (step 3). You can confirm the fix by checking that /authorize redirects to a real client_id rather than undefined.

"Not authorized" after logging in

The login worked, but your username isn't on the allow-list. Set ALLOWED_GITHUB_LOGIN to your GitHub login in wrangler.jsonc and redeploy.

whoami can't reach Bee

That's the private-CA wall: a Worker's fetch trusts only public certificates. Check Bee's real API cert from a non-proxied environment first — if it's private, the path is Workers VPC (Origin-CA) or mTLS. See under the hood for the seam.

Config values are empty after a deploy

ALLOWED_GITHUB_LOGIN or BEE_API_BASE reset to blank? They're vars — put the real values in wrangler.jsonc, not just the dashboard, so each deploy keeps them.

Optional — a custom domain

In the Cloudflare dashboard: your Worker → Settings → Domains & Routes → Add Custom Domain. Cloudflare provisions the DNS record and cert automatically if the domain's zone is on your account.

Full detail and the locked execution contract live in the repo's README and execution handoff.