Firefox Relay
FreeNot checkedEnables managing Firefox Relay masks (random and domain) via MCP tools, including listing, creating, updating, and disabling masks.
About
Enables managing Firefox Relay masks (random and domain) via MCP tools, including listing, creating, updating, and disabling masks.
README
Stateless Streamable HTTP MCP gateway for Firefox Relay, built for Cloudflare Workers.
Features
- Stateless remote MCP server for Firefox Relay
- OAuth Authorization Code + PKCE (
S256) for MCP clients - Encrypted Firefox Relay API key envelope inside signed JWT artifacts
- Streamable HTTP MCP endpoint at
/mcp - Random mask list/create/update/disable operations
- Optional custom-domain mask listing when the Relay account supports it
Requirements
- Node.js 20+
- npm
- Cloudflare account with Wrangler authentication
- A Firefox Relay account with an API key
Connector values
MCP Server URL: https://your-worker.example.com/mcp
Authorization server base URL: https://your-worker.example.com
Resource: https://your-worker.example.com/mcp
What it does
- Exposes MCP Streamable HTTP at
/mcp - Acts as its own OAuth Authorization Server for remote MCP clients
- Collects a user-provided Firefox Relay API key during OAuth consent
- Encrypts that API key into signed JWT artifacts and does not store it in a database
- Lets MCP clients list, create, update, and disable Firefox Relay masks
Firefox Relay API key
Users can find the Firefox Relay API key in Firefox Relay under profile icon → Settings.
Supported MCP tools
relay_list_random_masksrelay_create_random_maskrelay_update_random_maskrelay_disable_random_maskrelay_list_domain_masks
Install
npm install
Quick start
- Install dependencies.
- Set Worker secrets.
- Configure non-secret vars in
wrangler.tomlor via deploy-time environment overrides. - Run
npm run devfor local testing. - Run
npm testandnpm run typecheck. - Deploy with
npm run deploy.
Configure non-secret Worker vars
Update wrangler.toml or your deployment environment with:
OAUTH_ISSUERMCP_RESOURCEMCP_AUDIENCEOAUTH_REDIRECT_HTTPS_HOSTSRELAY_DEFAULT_BASE_URLACCESS_TOKEN_DEFAULT_TTL_DAYSACCESS_TOKEN_MAX_TTL_DAYSAUTH_CODE_TTL_SECONDS
For public release, wrangler.toml intentionally uses placeholder URLs. Set these to your real deployment values before production deploys:
OAUTH_ISSUER=https://your-worker.example.comMCP_RESOURCE=https://your-worker.example.com/mcpMCP_AUDIENCE=https://your-worker.example.com/mcp
Set Worker secrets
Generate and pipe each secret directly into Wrangler:
openssl rand -base64 48 | tr -d '\n' | wrangler secret put OAUTH_JWT_SIGNING_KEY_B64
openssl rand -base64 32 | tr -d '\n' | wrangler secret put UPSTREAM_CONFIG_ENC_KEY_B64
openssl rand -base64 48 | tr -d '\n' | wrangler secret put CSRF_SIGNING_KEY_B64
Deploy sequence
If you do not know the final public Worker URL yet, use this order:
- Bootstrap deploy once to get the real
workers.devURL. - Set the three Worker secrets.
- Redeploy with real
OAUTH_ISSUER,MCP_RESOURCE, andMCP_AUDIENCEvalues.
Run locally
npm run dev
Validate
npm test
npm run typecheck
Deploy
npm run deploy
Public connector values
After deployment, configure remote MCP clients with:
MCP Server URL: https://your-worker.example.com/mcp
Authorization server base URL: https://your-worker.example.com
Resource: https://your-worker.example.com/mcp
OAuth and stateless design summary
/registerissues deterministic publicclient_idvalues for allowlisted redirect URIs/authorizevalidates PKCE S256, renders consent, validates the Firefox Relay API key, and issues a short-lived signed auth-code JWT/tokenexchanges the auth code for bearer access and refresh JWTs- JWTs carry an AES-GCM encrypted Relay config envelope; plaintext credentials are never persisted server-side
/mcpverifies the access token, decrypts the Relay config, creates a fresh Worker-safe MCP server and transport, and serves the request
Stateless caveats
- Auth codes are not one-time-use across all isolates because no server-side state is stored
- Refresh tokens cannot be globally revoked without a stateful primitive
- Strict global rate limiting requires Durable Objects, KV, or Cloudflare-managed rate limiting
Manual smoke test notes
- Register a client with an allowlisted redirect URI.
- Complete
/authorizewith a Firefox Relay API key. - Exchange the returned code at
/token. - Call
/mcpwith the returned bearer token. - Confirm tools list and successful mask operations.
Privacy and security notes
- The Worker encrypts the Firefox Relay API key into MCP JWT artifacts and does not store it in a database.
- The Worker is designed to avoid logging API keys, bearer tokens, decrypted envelopes, cookies, or CSRF tokens.
- Upstream Relay errors are sanitized before they are returned to MCP clients.
Known limitations
- Auth codes are not globally one-time-use without stateful storage.
- Refresh tokens cannot be globally revoked without stateful storage.
- Strict global rate limiting requires Durable Objects, KV, or a Cloudflare-managed alternative.
- Domain-mask behavior depends on account capabilities and may require Relay premium/custom-domain support.
Project docs
docs/PRODUCT_REQUIREMENTS.mddocs/IMPLEMENTATION_PLAN.mddocs/PROJECT_STATE.mddocs/DECISIONS.mddocs/RUNBOOK.md
Contributing
See CONTRIBUTING.md.
Security
See SECURITY.md.
License
MIT
Installing Firefox Relay
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/nazar256/firefox-relay-mcpFAQ
Is Firefox Relay MCP free?
Yes, Firefox Relay MCP is free — one-click install via Unyly at no cost.
Does Firefox Relay need an API key?
No, Firefox Relay runs without API keys or environment variables.
Is Firefox Relay hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Firefox Relay in Claude Desktop, Claude Code or Cursor?
Open Firefox Relay on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Playwright
Browser automation, scraping, screenshots
by MicrosoftPuppeteer
Browser automation and web scraping.
by modelcontextprotocolopentabs-dev/opentabs
Plugin-based MCP server + Chrome extension that gives AI agents access to web applications through the user's authenticated browser session. 100+ plugins with a
by opentabs-devrobhunter/agentdeals
1,500+ developer infrastructure deals, free tiers, and startup programs across 54 categories. Search deals, compare vendors, plan stacks, and track pricing chan
by robhunterCompare Firefox Relay with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All browse MCPs
