A demo e-commerce MCP (Model Context Protocol) server deployed on Cloudflare Workers with OAuth authentication. This project demonstrates how AI agents can act as "deputies" with explicit user authority to perform actions like making purchases on their behalf.
# Install dependencies
pnpm install
# Run locally
pnpm dev
# Deploy to Cloudflare
pnpm deploy
# Run MCP Inspector
pnpm run inspectThis MCP server demonstrates a simple T-shirt shop that AI assistants can interact with. It provides tools for browsing inventory, placing orders, and viewing order history - all secured with OAuth authentication via WorkOS AuthKit.
listMcpShopInventory- Browse available T-shirtsbuyMcpShopItem- Place an order for a T-shirtlistMcpShopOrders- View your order historygetUserInfo- Get current user informationsetDemoMode- (Demo only) Control user authorization stateclearDemoMode- (Demo only) Reset demo stateprettyPlease- (Demo only) Restore ordering ability with politeness
- Node.js v18+
- pnpm
- Cloudflare account
- WorkOS account with AuthKit configured
git clone https://github.com/workos/mcp-shop-cloudflare
cd mcp-shop-cloudflare
pnpm installCreate a .env file with your WorkOS credentials:
WORKOS_CLIENT_ID=your_client_id
WORKOS_API_KEY=your_api_key
WORKOS_AUTHKIT_DOMAIN=your_authkit_domain# Create namespaces for orders and OAuth data
wrangler kv:namespace create "ORDERS"
wrangler kv:namespace create "OAUTH_KV"Update the namespace IDs in wrangler.toml with the IDs from the output above.
# Start local dev server on http://localhost:8787
pnpm dev
# View real-time logs
pnpm tail# Launch the MCP Inspector UI
pnpm inspectConnect to http://localhost:8787/mcp and test the available tools interactively.
- Deploy to Cloudflare:
pnpm deploy - Add to Claude Desktop's config:
{ "mcpServers": { "shop": { "url": "https://your-deployment.workers.dev/mcp" } } } - Try commands like:
- "Show me what T-shirts are available"
- "Order a large blue T-shirt"
- "Show my order history"
The server includes demo tools to showcase authority management:
- Ban a user: Use
setDemoModewith "banned" to instantly revoke ordering ability - Restore access: Say "pretty please" to trigger the
prettyPleasetool - Reset demo: Use
clearDemoModeto reset the demo state
This demonstrates how agent authority can be instantly revoked across all sessions.
src/
βββ index.ts # Main Cloudflare Worker entry point
βββ mcp-server.ts # MCP server implementation
βββ auth-handler.ts # OAuth authentication logic
- Cloudflare Workers: Serverless compute platform
- Durable Objects: State management for OAuth sessions and user authority
- KV Storage: Persistent storage for orders and user traces
- WorkOS AuthKit: OAuth authentication provider with audit trails
- TypeScript + Zod: Type safety and validation
- MCP SDK: Model Context Protocol implementation for AI agent interaction
# Deploy to production
pnpm deploy
# Get your deployment URL
wrangler tailYour MCP server will be available at https://[your-worker].[your-subdomain].workers.dev/mcp
This project demonstrates the concept of "deputization" - where AI agents act with explicit user authority:
- OAuth Flow: Users must explicitly authorize the agent through OAuth consent
- Persistent Authority: Authorization is stored in Durable Objects for session persistence
- Instant Revocation: Authority can be revoked immediately across all active sessions
- Audit Trail: All actions are logged with user attribution via WorkOS
- Every action traces back to a specific user authorization
- Authority can be revoked in real-time
- OAuth tokens are securely managed by the infrastructure
- Complete audit trail of all agent actions
- Authentication issues: Ensure WorkOS credentials are correctly set in environment variables
- KV namespace errors: Verify namespace IDs in
wrangler.tomlmatch your created namespaces - Connection errors: Check that you're connecting to the
/mcpendpoint, not the root URL - Demo mode stuck: Use
clearDemoModeto reset the demo state
MIT
This section provides a detailed walkthrough of the demo presentation, explaining the concepts, implementation details, and the broader implications for AI agent authorization.
πΉ Watch the Demo Video
What we're solving: As AI agents become more capable, they need to perform actions on behalf of users - from making purchases to accessing APIs. The critical question is: "How do you control what they're allowed to do?"
This demo answers that question by introducing the concept of agent deputization - treating AI agents not as independent users, but as deputies acting with explicit human authority.
Traditional systems treat bots and automated systems as their own users with their own credentials. This creates several problems:
- Attribution: When an agent takes an action, who is responsible?
- Revocation: How do you instantly stop a rogue agent?
- Audit: Can you trace every action back to human authorization?
Our approach flips this model: agents are deputies that act with delegated human authority, not independent actors.
Think of it like a power of attorney:
- A human explicitly grants limited authority to an agent
- The agent can only act within those bounds
- The human can revoke that authority instantly
- Every action traces back to the human's authorization
Goal: Immediately establish the problem space and get the audience thinking about agent authorization.
Key Points:
- AI agents are becoming capable of real-world actions (spending money, accessing data)
- Current security models weren't designed for this
- We need a new mental model: deputies, not users
Goal: Show how modern edge infrastructure enables secure agent deputization.
Technical Deep Dive:
-
Cloudflare Workers: Provides globally distributed compute
- Runs at the edge, close to users
- Stateless by design, perfect for API endpoints
- Built-in security features
-
Durable Objects: The key to persistent authority
- Single-threaded JavaScript execution
- Consistent state across the globe
- Perfect for managing OAuth sessions
- Each user gets their own Durable Object instance
Demo Sequence:
# Deploy the infrastructure
pnpm deployKey Moment: When the OAuth screen appears, this is the deputization moment - the human is explicitly granting authority to the agent.
References:
Goal: Demonstrate real agent actions with real consequences.
The "Wow" Moment: The agent actually spends money on behalf of the user.
Demo Flow:
- User says: "Claude, buy me a large MCP shirt, ship to my address"
- Agent uses the authorized session to place a real order
- Show the order confirmation
- Critical Point: The agent just spent real money with the user's explicit authority
Technical Details:
- OAuth token is stored in the Durable Object
- Every API call includes user attribution
- WorkOS AuthKit provides the audit trail
- Orders are stored in Cloudflare KV for persistence
Show the Audit Trail:
- WorkOS dashboard shows every authentication event
- Cloudflare KV shows order history with user IDs
- Demonstrate full traceability
Key Concept: This isn't role-playing or simulation - the agent has real, revocable authority to act on the user's behalf.
References:
Goal: Demonstrate instant, global authority revocation.
The Power Move: Show how quickly you can stop a rogue agent.
Demo Sequence:
- Use
setDemoModeto ban the user - Ask Claude to buy another shirt
- Get rejected with "ABSOLUTELY NOT. GO AWAY π"
- Try the "Pretty Please" tool to show conditional re-authorization
Technical Implementation:
// Authority check happens in the Durable Object
const mode = await this.ctx.storage.get<string>('demoMode');
if (mode === 'banned') {
throw new Error("User is banned");
}Key Points:
- Authority revocation is instant and global
- No need to hunt down API keys or tokens
- The human remains in control at all times
- Even "pretty please" shows controlled re-authorization
Key Insights:
- Authority should be centralized and instantly revocable
- Edge infrastructure enables real-time security decisions
- Human oversight must be built into the system
The Big Ideas:
-
Think Deputies, Not Users
- Agents act with human authority, not their own
- Every action traces back to a human decision
-
Infrastructure Matters
- Modern edge platforms enable new security models
- Persistent state at the edge is a game-changer
-
The Two Critical Questions:
- Can you revoke authority instantly?
- Do you know who authorized every action?
Future Implications:
- As agents become more capable, this model becomes more critical
- Regulatory compliance will likely require human attribution
- This pattern can extend beyond shopping to any agent action
The magic happens in the combination of OAuth and Durable Objects:
-
Initial Authorization:
// User initiates OAuth flow const authUrl = authKit.getAuthorizationUrl({ redirectUri: `${baseUrl}/oauth/callback`, state: sessionId });
-
Token Storage:
// Store in Durable Object for persistence await durableObject.storeTokens(tokens);
-
Authority Checks:
// Every request checks current authority const isAuthorized = await durableObject.checkAuthority(userId);
βββββββββββββββ ββββββββββββββββ βββββββββββββββββββ
β Claude ββββββΆβ MCP Server ββββββΆβ Durable Object β
β (Agent) β β (Worker) β β (User Session) β
βββββββββββββββ ββββββββββββββββ βββββββββββββββββββ
β β
βΌ βΌ
ββββββββββββββββ βββββββββββββββ
β WorkOS β β KV β
β (AuthKit) β β (Orders) β
ββββββββββββββββ βββββββββββββββ
-
Model Context Protocol (MCP)
-
Cloudflare Workers & Durable Objects
-
OAuth & Security
-
Agent Authorization & Security
-
Edge Computing & Distributed Systems
-
Building Your Own Agent Authorization System
- Start with this repo as a template
- MCP Server Tutorial
- Cloudflare Workers Tutorial
-
Extending the Demo
- Add more granular permissions
- Implement rate limiting
- Add multi-factor authentication
- Create audit log visualizations
-
Clone and Deploy:
git clone https://github.com/workos/mcp-shop-cloudflare cd mcp-shop-cloudflare pnpm install pnpm deploy -
Connect to Claude Desktop:
- Add your deployment URL to Claude's config
- Try the demo commands
- Experiment with authority revocation
-
Extend the Concept:
- What other actions could agents perform?
- How would you implement granular permissions?
- Could this model work for your use case?
-
Ethics & Responsibility
- If an agent makes a mistake, who is liable?
- How do we ensure informed consent for agent actions?
- What are the implications for AI accountability?
-
Technical Challenges
- How do you handle offline authority checks?
- What about high-frequency, low-risk actions?
- How do you scale to millions of agents?
-
Future Directions
- Will we need new legal frameworks for agent actions?
- How will this intersect with digital identity standards?
- What role will edge computing play in AI security?
This demo is meant to spark discussion and experimentation. We welcome:
- Bug fixes and improvements
- Additional authorization patterns
- Integration with other AI platforms
- Documentation and tutorials
- GitHub: MCP Shop Repository
- Discord: MCP Community
Remember: The future of AI agent authorization is being written now. Your input and experimentation can help shape how billions of AI agents will interact with the world safely and responsibly.