Firefox Relay
БесплатноНе проверенEnables managing Firefox Relay masks (random and domain) via MCP tools, including listing, creating, updating, and disabling masks.
Описание
Enables managing Firefox Relay masks (random and domain) via MCP tools, including listing, creating, updating, and disabling masks.
README
Stateless Streamable HTTP MCP gateway for Firefox Relay, built for Cloudflare Workers.
Features
- Stateless remote MCP server for Firefox Relay
- OAuth Authorization Code + PKCE (
S256) for MCP clients - Encrypted Firefox Relay API key envelope inside signed JWT artifacts
- Streamable HTTP MCP endpoint at
/mcp - Random mask list/create/update/disable operations
- Optional custom-domain mask listing when the Relay account supports it
Requirements
- Node.js 20+
- npm
- Cloudflare account with Wrangler authentication
- A Firefox Relay account with an API key
Connector values
MCP Server URL: https://your-worker.example.com/mcp
Authorization server base URL: https://your-worker.example.com
Resource: https://your-worker.example.com/mcp
What it does
- Exposes MCP Streamable HTTP at
/mcp - Acts as its own OAuth Authorization Server for remote MCP clients
- Collects a user-provided Firefox Relay API key during OAuth consent
- Encrypts that API key into signed JWT artifacts and does not store it in a database
- Lets MCP clients list, create, update, and disable Firefox Relay masks
Firefox Relay API key
Users can find the Firefox Relay API key in Firefox Relay under profile icon → Settings.
Supported MCP tools
relay_list_random_masksrelay_create_random_maskrelay_update_random_maskrelay_disable_random_maskrelay_list_domain_masks
Install
npm install
Quick start
- Install dependencies.
- Set Worker secrets.
- Configure non-secret vars in
wrangler.tomlor via deploy-time environment overrides. - Run
npm run devfor local testing. - Run
npm testandnpm run typecheck. - Deploy with
npm run deploy.
Configure non-secret Worker vars
Update wrangler.toml or your deployment environment with:
OAUTH_ISSUERMCP_RESOURCEMCP_AUDIENCEOAUTH_REDIRECT_HTTPS_HOSTSRELAY_DEFAULT_BASE_URLACCESS_TOKEN_DEFAULT_TTL_DAYSACCESS_TOKEN_MAX_TTL_DAYSAUTH_CODE_TTL_SECONDS
For public release, wrangler.toml intentionally uses placeholder URLs. Set these to your real deployment values before production deploys:
OAUTH_ISSUER=https://your-worker.example.comMCP_RESOURCE=https://your-worker.example.com/mcpMCP_AUDIENCE=https://your-worker.example.com/mcp
Set Worker secrets
Generate and pipe each secret directly into Wrangler:
openssl rand -base64 48 | tr -d '\n' | wrangler secret put OAUTH_JWT_SIGNING_KEY_B64
openssl rand -base64 32 | tr -d '\n' | wrangler secret put UPSTREAM_CONFIG_ENC_KEY_B64
openssl rand -base64 48 | tr -d '\n' | wrangler secret put CSRF_SIGNING_KEY_B64
Deploy sequence
If you do not know the final public Worker URL yet, use this order:
- Bootstrap deploy once to get the real
workers.devURL. - Set the three Worker secrets.
- Redeploy with real
OAUTH_ISSUER,MCP_RESOURCE, andMCP_AUDIENCEvalues.
Run locally
npm run dev
Validate
npm test
npm run typecheck
Deploy
npm run deploy
Public connector values
After deployment, configure remote MCP clients with:
MCP Server URL: https://your-worker.example.com/mcp
Authorization server base URL: https://your-worker.example.com
Resource: https://your-worker.example.com/mcp
OAuth and stateless design summary
/registerissues deterministic publicclient_idvalues for allowlisted redirect URIs/authorizevalidates PKCE S256, renders consent, validates the Firefox Relay API key, and issues a short-lived signed auth-code JWT/tokenexchanges the auth code for bearer access and refresh JWTs- JWTs carry an AES-GCM encrypted Relay config envelope; plaintext credentials are never persisted server-side
/mcpverifies the access token, decrypts the Relay config, creates a fresh Worker-safe MCP server and transport, and serves the request
Stateless caveats
- Auth codes are not one-time-use across all isolates because no server-side state is stored
- Refresh tokens cannot be globally revoked without a stateful primitive
- Strict global rate limiting requires Durable Objects, KV, or Cloudflare-managed rate limiting
Manual smoke test notes
- Register a client with an allowlisted redirect URI.
- Complete
/authorizewith a Firefox Relay API key. - Exchange the returned code at
/token. - Call
/mcpwith the returned bearer token. - Confirm tools list and successful mask operations.
Privacy and security notes
- The Worker encrypts the Firefox Relay API key into MCP JWT artifacts and does not store it in a database.
- The Worker is designed to avoid logging API keys, bearer tokens, decrypted envelopes, cookies, or CSRF tokens.
- Upstream Relay errors are sanitized before they are returned to MCP clients.
Known limitations
- Auth codes are not globally one-time-use without stateful storage.
- Refresh tokens cannot be globally revoked without stateful storage.
- Strict global rate limiting requires Durable Objects, KV, or a Cloudflare-managed alternative.
- Domain-mask behavior depends on account capabilities and may require Relay premium/custom-domain support.
Project docs
docs/PRODUCT_REQUIREMENTS.mddocs/IMPLEMENTATION_PLAN.mddocs/PROJECT_STATE.mddocs/DECISIONS.mddocs/RUNBOOK.md
Contributing
See CONTRIBUTING.md.
Security
See SECURITY.md.
License
MIT
Установка Firefox Relay
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/nazar256/firefox-relay-mcpFAQ
Firefox Relay MCP бесплатный?
Да, Firefox Relay MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Firefox Relay?
Нет, Firefox Relay работает без API-ключей и переменных окружения.
Firefox Relay — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить Firefox Relay в Claude Desktop, Claude Code или Cursor?
Открой Firefox Relay на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Playwright
Browser automation, scraping, screenshots
автор: MicrosoftPuppeteer
Browser automation and web scraping.
автор: modelcontextprotocolopentabs-dev/opentabs
Plugin-based MCP server + Chrome extension that gives AI agents access to web applications through the user's authenticated browser session. 100+ plugins with a
автор: opentabs-devrobhunter/agentdeals
1,500+ developer infrastructure deals, free tiers, and startup programs across 54 categories. Search deals, compare vendors, plan stacks, and track pricing chan
автор: robhunterCompare Firefox Relay with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории browse
