Render Tutorials
← All tutorials
intermediate ⏱ 90 min 9 steps

Build and host a full-featured, secure MCP server on Render

Design, implement, and deploy a production-grade Model Context Protocol server on Render with OAuth, rate limiting, observability, and a private Postgres backend.

Start tutorial
#mcp#security#typescript

Prerequisites

  • A Render account (Starter plan covers everything in this tutorial)
  • A Render API key from Account Settings → API Keys
  • Node.js 22+ and pnpm on your machine
  • Familiarity with TypeScript and HTTP servers
  • A GitHub account and the ability to push a new repo — we deploy via Blueprint
  • An MCP-capable client to test against (Claude Desktop, Cursor, Codex CLI, or the MCP Inspector)

Steps

  1. 01 What you'll build A short tour of the MCP server you'll ship by the end of this tutorial - what it does, how it stays secure, and why Render is a good home for it. 5 min
  2. 02 Start from Render's MCP template Fork the official `render-examples/mcp-server-typescript` template, run it locally, optionally deploy the unmodified version, and read the ~100 lines that make it work so you know what the rest of the tutorial is changing. 8 min
  3. 03 Add your first real tool and resource Extend the template's `createServer()` factory with a `notes.create` tool and a `notes://recent` resource, backed by an in-memory store that survives across the template's per-request server instances. 10 min
  4. 04 Swap the store for Postgres Boot a local Postgres in Docker, write a tiny migration, replace the in-memory store with a `pg`-backed implementation, and confirm nothing about the MCP layer changed. 12 min
  5. 05 Replace the template's bearer token with OAuth The template ships with a shared `MCP_API_TOKEN` for solo use. Swap it for an OAuth 2.1 authorization server in the same process, sign in via GitHub, mint short-lived audience-restricted JWTs, and gate `/mcp` behind a Bearer verifier so each request carries a real, revocable identity. 18 min
  6. 06 Rate limit, structured logs, and a real health check Add per-identity rate limiting so one noisy client can't drown the others, swap `console.log` for structured pino logs with request IDs, and turn the template's static `/health` into something Render can actually trust. 8 min
  7. 07 Extend the Blueprint and deploy Take the `render.yaml` the template gave you, add a managed Postgres, swap the auto-generated `MCP_API_TOKEN` for OAuth env vars, upgrade to the Starter plan, and ship. 12 min
  8. 08 Connect a real MCP client Point the MCP Inspector and Claude Desktop at the deployed URL, complete the OAuth dance, and call `notes.create` from a real agent. The template's README has client snippets you can borrow - just stripped of the `Authorization` header so the client does dynamic OAuth instead. 7 min
  9. 09 Harden and iterate The shortlist of upgrades a tutorial server needs before it's a service users depend on - durable OAuth storage, scoped data, secrets rotation, scaling, and the metrics worth watching in week one. 10 min