Seed MCP Server

Appearance

Frequently Asked Questions

Common questions about Seed MCP Server.

General Questions

What is Seed?

Seed is an MCP (Model Context Protocol) server that provides authenticated access to tools, prompts, and resources for AI assistants like Claude. It acts as a secure gateway between AI clients and your organization's services, with enterprise-grade authentication using OIDC/OAuth 2.0.

What is MCP?

MCP (Model Context Protocol) is an open protocol that standardizes how applications provide context to Large Language Models (LLMs). It allows AI assistants to:

  • Call tools - Execute custom actions and integrations
  • Use prompts - Access reusable prompt templates
  • Read resources - Access structured data and configuration

Learn more at spec.modelcontextprotocol.io

Do I need authentication to use Seed?

Yes, for production deployments. Seed uses OAuth 2.0/2.1 with PKCE for secure authentication. You'll need:

  • A running Seed server (ask your administrator)
  • OAuth credentials from your organization's identity provider
  • An MCP client (Claude Desktop, Claude Code, etc.)

For local development, authentication can be disabled with AUTH_REQUIRED=false.

Which clients can connect to Seed?

Seed supports any MCP-compliant client, including:

Is Seed open source?

Yes, Seed is released under the MIT License. You can use, modify, and deploy it freely.

Connection Questions

How do I connect to a Seed server?

Follow these steps:

  1. Get server details from your administrator (server URL, OAuth endpoints)
  2. Choose your client - See connection guides
  3. Configure your client - Add Seed server to client configuration
  4. Authenticate - Log in with your organization credentials
  5. Start using tools - Tools, prompts, and resources are now available

What information do I need from my administrator?

You'll need:

  • Server URL - e.g., https://mcp.example.com
  • Authorization URL - e.g., https://mcp.example.com/oauth/authorize
  • Token URL - e.g., https://mcp.example.com/oauth/token
  • Client ID - Unique identifier for your client (optional, can use defaults)

Can I connect to multiple Seed servers?

Yes! Most MCP clients support multiple servers simultaneously. Configure each server separately in your client settings. See:

Do I need to authenticate every time?

No, your client stores authentication tokens and refreshes them automatically. You'll only need to re-authenticate:

  • After extended periods of inactivity (tokens expire)
  • If your administrator revokes your access
  • If you clear your client's authentication cache

Can I use Seed without internet access?

Not for authentication. Initial authentication requires internet access to your organization's identity provider. However, once authenticated:

  • Tokens work offline until they expire
  • Local Seed servers can work on internal networks
  • Some features may work in offline mode depending on configuration

Tool Questions

What tools are available in Seed?

Seed includes several demo tools by default:

Administrators can add custom tools. See Tools Overview for complete list.

How do I use a tool?

Just ask Claude naturally:

"Check the server health"
"Echo back: Hello World"
"Show me my user information"

Claude will automatically use the appropriate Seed tool.

Can I create custom tools?

Yes! If you're running your own Seed server, you can add custom tools. See:

Why don't I see certain tools?

Tools availability depends on:

  1. Server configuration - Administrator controls which tools are enabled
  2. Authentication - Some tools require specific permissions
  3. Client version - Ensure your client is up to date

Contact your administrator about enabling additional tools.

Authentication Questions

What authentication methods does Seed support?

Seed uses OAuth 2.1 with PKCE (Proof Key for Code Exchange), which provides:

  • Secure authorization without client secrets
  • Protection against authorization code interception
  • Support for public clients (desktop apps, browser extensions)

It's compatible with any OIDC (OpenID Connect) provider like:

  • Okta
  • Auth0
  • Azure AD / Entra ID
  • Keycloak
  • Authentik
  • Google Identity

What is PKCE?

PKCE (Proof Key for Code Exchange, pronounced "pixie") is a security enhancement for OAuth 2.0 that prevents authorization code interception attacks. It's required for public clients like desktop apps and mobile apps.

Do my credentials go through Seed?

No. Seed never sees your password. The authentication flow:

  1. Seed redirects you to your organization's identity provider
  2. You log in directly with your identity provider
  3. Identity provider issues a token
  4. Seed validates the token signature using public keys (JWKS)

Your password never leaves your identity provider.

How long do authentication tokens last?

Token lifetime is configured by your organization's identity provider (typically 1 hour). Seed automatically refreshes tokens using refresh tokens, so you don't need to re-authenticate frequently.

Can I revoke my access?

Yes, through your organization's identity provider:

  1. Go to your identity provider's user portal
  2. Find "Active Sessions" or "Connected Applications"
  3. Revoke access for your Seed client

Administrators can also revoke access at the server level.

What happens if my token is stolen?

Tokens have short lifetimes (typically 1 hour) and are bound to your client. If you suspect token theft:

  1. Revoke the token at your identity provider
  2. Change your password if compromised
  3. Contact your administrator to investigate
  4. Re-authenticate in your client

Troubleshooting Questions

"Cannot connect to MCP server"

Quick fixes:

  1. Verify server URL is correct (include /mcp path)
  2. Check server is running: visit https://YOUR_SERVER/health
  3. Verify network connectivity (VPN required?)
  4. Check client configuration JSON syntax

See Troubleshooting - Connection Issues for details.

"OAuth authentication failed"

Quick fixes:

  1. Verify OAuth endpoints are correct
  2. Test endpoints in browser (should be accessible)
  3. Clear browser cookies for the OAuth domain
  4. Try incognito/private browsing mode

See Troubleshooting - OAuth for details.

"Token expired" or "Unauthorized"

Quick fixes:

  1. Re-authenticate (normal after inactivity)
  2. Check if your access was revoked
  3. Verify your account is still active

See Troubleshooting - Authentication for details.

Where can I get help?

Administrator Questions

How do I install Seed?

Seed can be installed via:

See Installation Guide for complete instructions.

What are the system requirements?

Minimum:

  • Node.js 18+ (if running from source)
  • Redis 6+ (for session storage)
  • 512MB RAM
  • Network access to OIDC provider

Recommended:

  • Node.js 20+
  • Redis 7+
  • 1GB+ RAM
  • Load balancer for high availability

How do I configure Seed?

Seed uses environment variables for configuration. Required variables:

  • OIDC_ISSUER - Your identity provider URL
  • OIDC_AUDIENCE - Client ID for Seed
  • REDIS_URL - Redis connection string
  • OAUTH_AUTHORIZATION_URL - OAuth authorization endpoint
  • OAUTH_TOKEN_URL - OAuth token endpoint

See Configuration Guide for complete list.

Can I disable authentication for development?

Yes, set AUTH_REQUIRED=false in your environment. This bypasses all authentication checks. Never use this in production.

bash
AUTH_REQUIRED=false npm run dev

How do I add custom tools?

  1. Create tool implementation in src/mcp/tools/your-tool.ts
  2. Define tool schema (name, description, parameters)
  3. Implement tool handler function
  4. Register tool in src/mcp/tools/index.ts
  5. Rebuild and restart server

See Adding MCP Tools for complete guide.

How do I deploy to production?

Seed can be deployed to:

  • Docker/Kubernetes - Containerized deployment
  • Cloud platforms - AWS, Azure, GCP
  • PaaS - Heroku, Render, Railway
  • On-premises - Your own infrastructure

See Deployment Guide for strategies.

How do I monitor Seed?

Monitor these endpoints and metrics:

  • Health check: GET /health - Should return 200 with "status": "ok"
  • Response time: 95th percentile < 2s
  • Error rate: < 5% of requests
  • Redis memory: < 80% of limit
  • Active sessions: Track concurrent users

See Troubleshooting - Monitoring for details.

How do I scale Seed?

For high traffic:

  1. Horizontal scaling - Deploy multiple Seed instances behind load balancer
  2. Redis optimization - Use Redis Cluster or Redis Sentinel
  3. Session management - Adjust TTL and cleanup policies
  4. JWKS caching - Increase cache TTL to reduce IdP calls
  5. Rate limiting - Prevent abuse and overload

What security best practices should I follow?

  1. Always use HTTPS in production
  2. Keep tokens short-lived (1 hour or less)
  3. Enable rate limiting on all endpoints
  4. Monitor for suspicious activity (repeated 401s, invalid tokens)
  5. Regular security updates (keep dependencies current)
  6. Use strong Redis passwords if exposed to network
  7. Implement IP allowlists where appropriate
  8. Enable audit logging for compliance

See Production Operations - Security Hardening for details.

Developer Questions

What technologies does Seed use?

Core:

  • TypeScript with strict mode
  • Express.js for HTTP server
  • @modelcontextprotocol/sdk for MCP implementation
  • jose for JWT validation

Authentication:

  • OAuth 2.1 with PKCE
  • OIDC (OpenID Connect)
  • JWKS (JSON Web Key Sets)

Storage:

  • Redis for sessions
  • In-memory caching for JWKS

See Architecture Overview for details.

Can I extend Seed?

Yes! Seed is designed to be extended:

  • Custom tools - Add your own integrations
  • Custom prompts - Create reusable prompt templates
  • Custom resources - Expose your data and configuration
  • Custom middleware - Add authentication, logging, etc.

See Development Guide for extending Seed.

How do I contribute to Seed?

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes with tests
  4. Run code quality checks: npm run validate
  5. Submit a pull request

See Contributing Guide for guidelines.

Where is the code?

Seed is open source under the MIT License. Check with your administrator for the repository location.

How do I report bugs?

  1. Check Troubleshooting Guide first
  2. Search existing issues
  3. Create new issue with:
    • Steps to reproduce
    • Expected vs actual behavior
    • Environment details (OS, Node version, client type)
    • Relevant logs (sanitize sensitive data)

Performance Questions

Why is Seed slow?

Common causes:

  1. Network latency - Check connection to Redis and identity provider
  2. JWKS fetching - Increase cache TTL to reduce IdP calls
  3. Redis performance - Monitor Redis latency with redis-cli --latency
  4. High load - Scale horizontally or optimize resources
  5. Logging overhead - Reduce log verbosity in production

See Troubleshooting - Performance for diagnostics.

How many users can Seed support?

Depends on your infrastructure:

  • Single instance: 100-1000 concurrent users
  • Horizontal scaling: 10,000+ concurrent users
  • Redis capacity: Primary bottleneck for session storage

Benchmark your specific deployment for accurate metrics.

How do I optimize Seed performance?

  1. Increase JWKS cache TTL - Reduce identity provider calls
  2. Use Redis connection pooling - Better resource utilization
  3. Enable response compression - Smaller payloads
  4. Scale horizontally - Multiple instances behind load balancer
  5. Optimize Redis - Use appropriate eviction policies

Migration Questions

Can I migrate from Seed without authentication?

Yes, but requires planning:

  1. Set up identity provider integration
  2. Configure OAuth endpoints
  3. Update client configurations
  4. Enable AUTH_REQUIRED=true
  5. User re-authentication required

How do I change identity providers?

  1. Configure new identity provider in Seed
  2. Update OAuth endpoints
  3. Update JWKS URL or issuer
  4. Test authentication flow
  5. Update client configurations
  6. Migrate users

No data loss - sessions will require re-authentication.

Can I run multiple versions simultaneously?

Yes, for blue-green deployments:

  1. Deploy new version alongside old
  2. Gradually redirect traffic
  3. Monitor for issues
  4. Decommission old version when stable

Ensure Redis schema is compatible between versions.

Still Have Questions?

Released under the MIT License.

Copyright © 2025 Adam Cole