Skip to content

Core: Auth-free local mode for MCP debugging #131

Open
Open
Core: Auth-free local mode for MCP debugging#131
@decebal

Description

@decebal
decebal
opened on Mar 27, 2026

Problem

When running Core locally for MCP debugging (e.g., Claude Code integration), every API request requires an authorization header:

curl http://localhost:3900/api/v1/events/query \
  -H "Content-Type: application/json" \
  -d '{"limit": 5}'
# → "Missing authorization header"

This makes local development and MCP server integration unnecessarily complex — you need to generate JWT tokens just to query your own local data.

Proposal

Add an auth bypass for local/development use:

docker run ... -e ALLSOURCE_AUTH_DISABLED=true ghcr.io/all-source-os/allsource-core:latest

Or a CLI flag:

allsource-core --no-auth --data-dir /data

When enabled:

  • Skip JWT validation on all API endpoints
  • Log a warning on startup: "⚠️ Auth disabled — do not use in production"
  • Only allow when NODE_ENV != production or behind an explicit opt-in flag

Use case

  • Local MCP server debugging via Claude Code
  • Development and testing workflows
  • Quick data inspection without setting up auth infrastructure

Security

This should never be enabled in production. The flag could be blocked entirely when NODE_ENV=production or when ALLSOURCE_JWT_SECRET is set.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions