A remote MCP server on Cloudflare Workers that gives Claude (or any MCP client) read/write access to a personal file vault backed by Cloudflare R2.
Authentication is handled via GitHub OAuth, so Claude.ai connects natively without workarounds.
This server is part of Token Brain, a personal knowledge and agent infrastructure built around Claude.
- File operations: read, write, delete text files (markdown, JSON, YAML, CSV, code)
- Browse: list files with metadata, search by filename, display the directory tree
- Binary support: generate presigned URLs for direct upload/download of any file type
- Health check:
alivetool to verify the server and OAuth are operational - Single-owner access: GitHub OAuth scope guard restricts access to one authorized user
| Tool | Description |
|---|---|
alive |
Health check — confirms the server is running and authentication is valid |
list_files |
List files in the vault with size and modification date |
tree |
Display the vault's directory structure |
search_files |
Search files by name (case-insensitive) |
read_file |
Read the content of a text file |
write_file |
Create or overwrite a text file |
delete_file |
Delete a file (requires explicit confirmation) |
get_upload_url |
Generate a presigned URL for uploading a file (60s TTL) |
get_download_url |
Generate a presigned URL for downloading a file (60s TTL) |
- Node.js (v18+)
- A Cloudflare account (free plan works)
- A GitHub OAuth App for authentication
# Clone and install
git clone https://github.com/your-username/second-brain-vault.git
cd second-brain-vault
npm install
# Configure
cp .env.example .env
# Edit .env with your values (see Configuration below)
# Create Cloudflare resources
wrangler kv namespace create OAUTH_KV
# Copy the returned ID into wrangler.jsonc
wrangler r2 bucket create mcp-vault
# (or use your own bucket name — update wrangler.jsonc accordingly)
# Set production secrets
wrangler secret put GITHUB_CLIENT_ID
wrangler secret put GITHUB_CLIENT_SECRET
wrangler secret put COOKIE_ENCRYPTION_KEY
wrangler secret put R2_ACCESS_KEY_ID
wrangler secret put R2_SECRET_ACCESS_KEY
wrangler secret put CF_ACCOUNT_ID
wrangler secret put ALLOWED_GITHUB_ID
wrangler secret put ALLOWED_GITHUB_LOGIN
# Deploy
wrangler deployYour MCP endpoint will be available at https://your-worker.your-subdomain.workers.dev/mcp.
| Variable | Description |
|---|---|
GITHUB_CLIENT_ID |
GitHub OAuth App client ID |
GITHUB_CLIENT_SECRET |
GitHub OAuth App client secret |
COOKIE_ENCRYPTION_KEY |
Random 64-char hex string for cookie encryption |
R2_ACCESS_KEY_ID |
Cloudflare R2 API key ID |
R2_SECRET_ACCESS_KEY |
Cloudflare R2 API secret key |
CF_ACCOUNT_ID |
Your Cloudflare account ID |
ALLOWED_GITHUB_ID |
Your GitHub user ID (integer) |
ALLOWED_GITHUB_LOGIN |
Your GitHub username |
- Go to GitHub Developer Settings
- Create a new OAuth App
- Set the Authorization callback URL to
https://your-worker.your-subdomain.workers.dev/callback - Copy the Client ID and Client Secret into your secrets
- In Claude.ai, go to Settings > Integrations
- Add a custom MCP server
- Enter your Worker URL:
https://your-worker.your-subdomain.workers.dev/mcp - Claude will redirect you to GitHub for authentication
- Once authorized, the vault tools appear in your conversation
The server runs on Cloudflare Workers and uses:
- R2 for file storage (S3-compatible object storage)
- KV for OAuth session management
- workers-oauth-provider for the OAuth 2.1 flow
- MCP SDK (
@modelcontextprotocol/sdk) for tool registration and transport
For detailed architecture documentation, see ARCHITECTURE.md.
For the OAuth implementation guide, see GUIDE-MCP-WORKER-OAUTH.md.
See DEPLOY.md for step-by-step deployment instructions.
MIT — see LICENSE.