Configuration Options
Name
name is the unique identifier for this MCP Bridge app.
Type
type must be "mcpBridge" for MCP Bridge applications.
Mode
mode specifies the bridge mode. Currently supports "openapi".
Open API
openapi contains the configuration for OpenAPI mode.
Spec
spec contains the OpenAPI specification configuration. Either uri or data must be provided, but not both.
data
data contains the OpenAPI specification content directly in the configuration. Use this when the spec needs to be embedded inline instead of referencing an external file.
URI
uri is the location of the OpenAPI specification. Supports file:// URIs for local files.
Base URL
baseURL overrides the server URL from the OpenAPI spec. If empty, uses the first server URL from the spec.
Authorization
authorization defines the policy for the app.
Inbound
inbound defines authorization rules for inbound requests. For instance, policy authors may want to craft policies that restrict requests to a certain network zone.
OPA
opa defines the Open Policy Agent driven authorization policy.
Name
name of the policy.
Rego
rego represents the module definition. Please note that the module's package must be orchestrator. rego and file cannot both be defined at the same time.
File
file is the filepath to the module definition. Please note that the module's package must be orchestrator. file and rego cannot both be defined at the same time.
Outbound
outbound defines how the app authorizes with upstream systems. For example, token exchange may be used as an outbound authorization method.
Type
type defines how the outbound authorization will be completed. Currently, tokenExchange and unprotected are supported.
Token Exchange
tokenExchange defines the configuration for token exchange based authorization.
IDP
idp defines the IDP that's used for token exchange. The requires using OIDC based connection to the IDP.
Audience
audience defines the aud claim that will be requested as part of the exchange.
Scope Mappings
scopeMappings defines the mapping of MCP tool names to the scopes that are required to interact with them.
Example Configuration (file based)
File: maverics.yaml
apps:
- name: exampleBridge
type: mcpBridge
mode: openapi
openapi:
spec:
uri: file:///path/to/openapi/spec.yaml
baseURL: https://api.example.com
authorization:
inbound:
opa:
name: examplePolicy
file: /etc/maverics/example.rego
outbound:
type: tokenExchange
tokenExchange:
idp: tokenExchangeClient
audience: https://tickets.example.com
scopeMappings:
getTicketsPrice: [ "tickets:read" ]
postTicketsPrice: [ "tickets:write" ]File: /etc/maverics/example.rego
package orchestrator
default result["allowed"] := false
# Helper rule to extract and decode JWT
jwt_payload := payload if {
auth_header := input.request.http.headers.Authorization
startswith(auth_header, "Bearer ")
token := substring(auth_header, 7, -1)
[_, payload, _] := io.jwt.decode(token)
}
result["allowed"] if {
input.request.mcp.tool.params.name == "getTicketsPrice"
print("request made with subject of:", jwt_payload.sub)
contains(jwt_payload.sub, "john@example.com")
print("access granted to subject:", jwt_payload.sub)
}
result["allowed"] if {
input.request.mcp.tool.params.name == "getTicketsSeats"
print("request made with subject of:", jwt_payload.sub)
contains(jwt_payload.sub, "jane@example.com")
print("access granted to subject:", jwt_payload.sub)
}Example Configuration (inline)
File: maverics.yaml
apps:
- name: exampleBridge
type: mcpBridge
mode: openapi
openapi:
spec:
data: |
openapi: 3.0.0
info:
title: Tickets API
version: 1.0.0
servers:
- url: https://api.example.com
paths:
/tickets/price:
get:
operationId: getTicketsPrice
summary: Get ticket prices
responses:
'200':
description: Ticket prices
baseURL: https://api.example.com
authorization:
inbound:
opa:
name: examplePolicy
rego: |
package orchestrator
default result["allowed"] := false
result["allowed"] if {
input.request.mcp.tool.params.name == "getTicketsPrice"
true
}
outbound:
type: unprotected