Skip to main content

JWT

The jwt package (jwt~=1.3.1) is included in requirements.txt. Use it to decode and validate JWT tokens in the token_required decorator:
For RS256 tokens (e.g. Cognito), retrieve the public key from the Cognito JWKS endpoint:

AWS Cognito

The flask-Cognito package is included in requirements.txt. Configure it using the Cognito environment variables from Environment.py:

API key hashing

The MCP server hashes API keys with SHA-256 before storing them in the database — only the hash is persisted, never the raw key:
To validate an incoming key, hash it and compare against the stored hash:
Apply the same pattern in your own API key systems — never store or log raw keys.

Passwords

For user passwords, use werkzeug.security (included via Flask):
Use scrypt or pbkdf2:sha256 as the method (Werkzeug defaults to scrypt in recent versions).

HTTPS

Always run behind HTTPS in production. When deploying on AWS ECS/EC2, terminate TLS at the load balancer (ALB) and forward traffic to the Flask container on port 5000 over HTTP internally.