How do I handle OAuth2 authentication in MCP servers?

For OAuth2, use a long-lived refresh token in the env config (OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET, OAUTH_REFRESH_TOKEN), or run a lightweight proxy that handles the OAuth dance and presents a stable API key to the MCP server.

How does MCP handle paginated API responses?

Cursor-based pagination uses the cursor parameter from the previous response, while page-based pagination supports page and per_page query parameters. The MCP-Bridge converter tool automatically detects pagination parameters from OpenAPI specs.

What are the security best practices for production MCP servers?

Never hardcode secrets — use environment variables or a secret manager. Use read-only tokens where possible, scope tokens to specific resources with fine-grained PATs, and regularly audit API provider logs for unexpected activity.

Can I separate MCP configs for dev and production environments?

Yes. Create multiple MCP server profiles with different names like my-api-dev and my-api-prod, each pointing to different API base URLs and using different API keys. This lets you switch environments without editing your config.

GuideSeries: OpenAPI to MCP

Advanced MCP Configurations: Auth, Pagination, and Production Patterns

June 13, 2026 · 7 min read

Once you've mastered basic MCP server setup, these advanced patterns will help you handle real-world scenarios: complex authentication, paginated data, multiple environments, and production security.

1. Handling OAuth2 Authentication

Many APIs use OAuth2 instead of simple API keys. For OAuth2 flows, you have two options:

Option A: Use a Refresh Token

If the API provides a long-lived refresh token, configure it in your env:

{
  "mcpServers": {
    "my-api": {
      "command": "npx",
      "args": ["-y", "@mcp/my-api"],
      "env": {
        "OAUTH_CLIENT_ID": "<client-id>",
        "OAUTH_CLIENT_SECRET": "<client-secret>",
        "OAUTH_REFRESH_TOKEN": "<refresh-token>"
      }
    }
  }
}

Option B: Use a Proxy Service

For short-lived access tokens, run a lightweight proxy that handles the OAuth dance and presents a stable API key to the MCP server.

2. Multi-Key API Authentication

Some APIs require multiple credentials. For example, AWS services need both an access key ID and secret access key, often plus a region:

{
  "mcpServers": {
    "aws-s3": {
      "command": "npx",
      "args": ["-y", "@mcp/aws-s3"],
      "env": {
        "AWS_ACCESS_KEY_ID": "<access-key>",
        "AWS_SECRET_ACCESS_KEY": "<secret-key>",
        "AWS_REGION": "us-east-1"
      }
    }
  }
}

3. Pagination and Rate Limiting

When an MCP server returns paginated results, the config needs to handle cursor or page parameters. Most MCP servers handle this automatically, but for custom configs:

Cursor-based pagination: The MCP server uses the cursor parameter from the previous response
Page-based pagination: Support page and per_page query parameters
Rate limits: Configure a delay between requests via the RATE_LIMIT_MS env variable if your server supports it

Tip: Our converter tool automatically detects pagination parameters in OpenAPI specs and generates the right config. Try it with any spec that uses page, offset, or cursor parameters.

4. Environment Separation (Dev / Staging / Prod)

Instead of editing your config every time you switch environments, use multiple profiles:

{
  "mcpServers": {
    "my-api-dev": {
      "command": "npx",
      "args": ["-y", "@mcp/my-api"],
      "env": {
        "API_BASE_URL": "https://dev.api.example.com",
        "API_KEY": "<dev-key>"
      }
    },
    "my-api-prod": {
      "command": "npx",
      "args": ["-y", "@mcp/my-api"],
      "env": {
        "API_BASE_URL": "https://api.example.com",
        "API_KEY": "<prod-key>"
      }
    }
  }
}

5. Production Security Best Practices

Never Hardcode Secrets

Use environment variables or a secret manager. The MCP config supports env vars, so keep keys out of the JSON file itself.

Use Read-Only Tokens Where Possible

If the AI only needs to read data, generate API tokens with read-only permissions. This prevents accidental mutations.

Scope Tokens to Specific Resources

For APIs that support scoped tokens (like GitHub fine-grained PATs), limit access to only the repos or resources the MCP server needs.

Audit Log Your MCP Usage

Check your API provider's audit logs regularly to see what actions the MCP server is taking. Most providers log API calls with timestamps and IPs.

6. Config Registry: One URL to Rule Them All

MCP-Bridge hosts a config registry where you can fetch ready-to-use MCP configurations by URL. Instead of maintaining local JSON files, point your MCP client directly to:

https://mcpbridge.org/config/github.json

This is especially useful for CI/CD pipelines and team setups where you want a single source of truth for MCP configurations.

Summary

Basic Setup

Part 1 — Convert any OpenAPI spec

Build Custom

Part 2 — Hands-on tutorial with real APIs

Config Recipes

Part 3 — 10 ready-to-use configs

Advanced Patterns

Part 4 — You are here