Spotify MCP Server on Cloudflare Workers (OAuth, Multi-User)

This server is now configured for production-style multi-user auth:

• MCP clients authenticate via OAuth endpoints on this Worker.
• Users authorize with Spotify using their own Spotify app credentials (BYO Client ID/Secret).
• User refresh tokens and BYO client credentials are stored in encrypted OAuth props.

Architecture

• MCP API: /mcp
• OAuth authorize: /authorize
• OAuth token: /token
• OAuth client registration: /register
• Spotify callback: /callback

1) Install

cd /Users/omshah/Desktop/MCP/spotify-mcp-cloudflare
npm install

2) Create KV Namespace (for OAuth state)

npx wrangler kv namespace create OAUTH_KV

Copy the returned ID into wrangler.jsonc at:

• kv_namespaces[0].id

3) Set Worker Secrets

npx wrangler secret put COOKIE_ENCRYPTION_KEY
npx wrangler secret put ALLOWED_MCP_CLIENT_IDS

COOKIE_ENCRYPTION_KEY should be a long random string.

ALLOWED_MCP_CLIENT_IDS is optional (comma-separated). If set, only those MCP OAuth client IDs can authorize.

Optional fallback secrets (only if you want a default app instead of strict BYO):

npx wrangler secret put SPOTIFY_CLIENT_ID
npx wrangler secret put SPOTIFY_CLIENT_SECRET

4) Spotify App Settings

Each user should create a Spotify app in Spotify Developer Dashboard and set redirect URI to:

• Local: http://localhost:8788/callback
• Production: https://<your-worker>.workers.dev/callback

The redirect URI in Spotify must exactly match the environment you are using.

5) Run Local

npm run dev

6) Deploy

npm run deploy

Security Notes

• This version removes raw refresh-token tool input.
• Tokens are tied to authenticated OAuth sessions.
• Keep COOKIE_ENCRYPTION_KEY secret and rotate if compromised.
• Debug auth scope tool is disabled by default. Enable only temporarily with ENABLE_DEBUG_TOOLS=true.