π¦
zhangpanda/gomcp
tag auto schema, middleware chain, auth, tool groups, adapters for Gin/OpenAPI/gRPC, async tasks, Inspector UI.
0 installs
Trust: 34 β Low
Docs
Ask AI about zhangpanda/gomcp
Powered by Claude Β· Grounded in docs
I know everything about zhangpanda/gomcp. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Loading tools...
Reviews
Documentation
GoMCP
The fast, idiomatic way to build MCP servers in Go.
π Quick Links
- GitHub: https://github.com/zhangpanda/gomcp
- Gitee: https://gitee.com/rilegouasas/gomcp
- MCP Protocol: https://modelcontextprotocol.io
π― What is GoMCP?
GoMCP is a framework for building Model Context Protocol (MCP) servers β not just an SDK. Think of it as "Gin for MCP".
MCP is the open protocol that lets AI applications (Claude Desktop, Cursor, Kiro, VS Code Copilot) call external tools, read data sources, and use prompt templates. GoMCP makes building those servers trivial.
Why GoMCP?
| mcp-go (mark3labs) | Official Go SDK | GoMCP | |
|---|---|---|---|
| Level | SDK | SDK | Framework |
| Schema generation | Manual | jsonschema tag | mcp tag + auto validation |
| Middleware | Basic hooks | None | Full chain (Logger, Auth, RateLimit, OTelβ¦) |
| Tool groups | No | No | Yes (user.get, admin.delete) |
| Import Gin routes | No | No | β One line |
| Import OpenAPI/Swagger | No | No | β One line |
| Import gRPC services | No | No | β |
| Built-in auth | No | No | Bearer / API Key / Basic + RBAC (Bearer = your token/JWT validator) |
| Inspector UI | No | No | β |
| Test utilities | Basic | No | mcptest package |
π οΈ Tech Stack
Environment Requirements
| Requirement | Version |
|---|---|
| Go | β₯ 1.25 |
| MCP Protocol | 2024-11-05 (backward compatible with 2025-11-25) |
Note on the Go 1.25 requirement. GoMCP's
go.moddeclaresgo 1.25.0so the project always builds with the toolchain that ships current security and runtime fixes. If you are running Go 1.21+ locally with the defaultGOTOOLCHAIN=auto, Go will automatically download and use the matching toolchain for you β no manual upgrade is needed. If you have pinnedGOTOOLCHAIN=local, install Go 1.25+ or unset the pin.
Core Dependencies
| Technology | Description |
|---|---|
| Go standard library | Framework routing, JSON-RPC, transports β no forced DB/ORM deps |
| Gin | Adapter only β import existing Gin routes |
| gRPC | Adapter only β import gRPC services |
| OpenTelemetry | Optional β distributed tracing |
| YAML v3 | Provider only β hot-reload tool definitions |
π Core Features
π§ Tool Development
- Struct-tag auto schema β define parameters with Go structs and
mcptags, JSON Schema generated automatically - Typed handlers β
func(*Context, Input) (Output, error)β no manual parameter parsing - Parameter validation β required, min/max, enum, pattern β checked before your handler runs
- Component versioning β register multiple versions, clients call
name@version - Async tasks β long-running tools return task ID, with polling and cancellation
π Adapters (Core Differentiator)
- Gin adapter β import existing Gin routes as MCP tools with one line
- OpenAPI adapter β generate tools from Swagger/OpenAPI 3.x docs
- gRPC adapter β import gRPC service methods as MCP tools
π Security
- BearerAuth β Bearer token check via your validator (JWT parsing is up to you; this library does not decode JWTs)
- APIKeyAuth β API key validation via header
- BasicAuth β HTTP Basic authentication
- RequireRole / RequirePermission β RBAC authorization on tool groups
𧩠Framework Features
- Middleware chain β Logger, Recovery, RequestID, Timeout, RateLimit, OpenTelemetry
- Tool groups β organize tools with prefixes and group-level middleware
- Resource & Prompt β full MCP support including URI templates and parameterized prompts
- Auto-completions β suggest values for prompt/resource arguments
π Production Ready
- Multiple transports β stdio (Claude Desktop, Cursor, Kiro) and Streamable HTTP with SSE
- MCP Inspector β built-in web debug UI for browsing and testing tools
- Hot-reload β load tool definitions from YAML files with file watching
- mcptest package β in-memory client for unit testing with snapshot support
- Lifecycle β
Close(), session idle eviction, async concurrency β see Server lifecycle, sessions & async tasks.
ποΈ Architecture
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β User Code β
β s.Tool() / s.ToolFunc() / s.Resource() / s.Prompt() β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Framework Core β
β Router β Middleware Chain β Validation β Handler β Result β
ββββββββββββββ¬ββββββββββββββ¬ββββββββββββββββ¬ββββββββββββββββββββ€
β Schema β Validator β Adapters β Observability β
β Generator β Engine β Gin/OpenAPI/ β OTel / Logger β
β (mcp tags) β (auto) β gRPC β / Inspector β
ββββββββββββββ΄ββββββββββββββ΄ββββββββββββββββ΄ββββββββββββββββββββ€
β Protocol Layer β
β JSON-RPC 2.0 / MCP / Capability Negotiation β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Transport Layer β
β stdio / Streamable HTTP + SSE β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Project Structure
gomcp/
βββ server.go # Server core, tool/resource/prompt registration
βββ context.go # Request context with typed accessors
βββ group.go # Tool groups with prefix naming
βββ middleware.go # Middleware chain helpers (SkipAuthForMCPMethods, handshake skips)
βββ middleware_builtin.go # Logger, Recovery, RequestID, Timeout, RateLimit
βββ middleware_auth.go # Bearer/API key/Basic auth, RBAC, SSE auth helpers
βββ middleware_otel.go # OpenTelemetry tracing
βββ schema/ # struct tag β JSON Schema generator + validator
βββ transport/ # stdio + Streamable HTTP + optional CORS helper
βββ adapter/ # Gin, OpenAPI, gRPC adapters
βββ mcptest/ # Testing utilities
βββ task.go # Async task support
βββ completion.go # Auto-completions
βββ inspector.go # Web debug UI
βββ provider.go # Hot-reload from YAML
βββ examples/ # Working examples
π¦ Installation
go get github.com/zhangpanda/gomcp
β‘ Quick Start
5 lines to a working MCP server
package main
import (
"fmt"
"github.com/zhangpanda/gomcp"
)
type SearchInput struct {
Query string `json:"query" mcp:"required,desc=Search keyword"`
Limit int `json:"limit" mcp:"default=10,min=1,max=100"`
}
type SearchResult struct {
Items []string `json:"items"`
Total int `json:"total"`
}
func main() {
s := gomcp.New("my-server", "1.0.0")
s.ToolFunc("search", "Search documents by keyword", func(ctx *gomcp.Context, in SearchInput) (SearchResult, error) {
items := []string{fmt.Sprintf("Result for %q", in.Query)}
return SearchResult{Items: items, Total: len(items)}, nil
})
s.Stdio()
}
The SearchInput struct automatically generates this JSON Schema:
{
"type": "object",
"properties": {
"query": { "type": "string", "description": "Search keyword" },
"limit": { "type": "integer", "default": 10, "minimum": 1, "maximum": 100 }
},
"required": ["query"]
}
Invalid parameters are rejected before your handler runs:
validation failed: query: required; limit: must be <= 100
π Usage Guide
Struct Tag Reference
| Tag | Type | Description | Example |
|---|---|---|---|
required | flag | Field must be provided | mcp:"required" |
desc | string | Human-readable description | mcp:"desc=Search keyword" |
default | any | Default value | mcp:"default=10" |
min | number | Minimum value (inclusive) | mcp:"min=0" |
max | number | Maximum value (inclusive) | mcp:"max=100" |
enum | string | Pipe-separated allowed values | mcp:"enum=asc|desc" |
pattern | string | Regex validation | mcp:"pattern=^[a-z]+$" |
Combine: mcp:"required,desc=User email,pattern=^[^@]+@[^@]+$"
Supported types: string, int, float64, bool, []T, nested structs.
Tools
Simple handler:
s.Tool("hello", "Say hello", func(ctx *gomcp.Context) (*gomcp.CallToolResult, error) {
return ctx.Text("Hello, " + ctx.String("name")), nil
})
Typed handler (recommended):
type Input struct {
Name string `json:"name" mcp:"required,desc=User name"`
Email string `json:"email" mcp:"required,pattern=^[^@]+@[^@]+$"`
}
s.ToolFunc("create_user", "Create user", func(ctx *gomcp.Context, in Input) (User, error) {
return db.CreateUser(in.Name, in.Email)
})
Resources
// Static
s.Resource("config://app", "App config", func(ctx *gomcp.Context) (any, error) {
return map[string]any{"version": "1.0"}, nil
})
// Dynamic URI template
s.ResourceTemplate("db://{table}/{id}", "DB record", func(ctx *gomcp.Context) (any, error) {
return db.Find(ctx.String("table"), ctx.String("id")), nil
})
Prompts
s.Prompt("code_review", "Code review",
[]gomcp.PromptArgument{gomcp.PromptArg("language", "Language", true)},
func(ctx *gomcp.Context) ([]gomcp.PromptMessage, error) {
return []gomcp.PromptMessage{
gomcp.UserMsg(fmt.Sprintf("Review this %s code for bugs.", ctx.String("language"))),
}, nil
},
)
Middleware
s.Use(gomcp.Logger()) // Log MCP method + duration
s.Use(gomcp.Recovery()) // Recover from panics
s.Use(gomcp.RequestID()) // Unique request ID
s.Use(gomcp.Timeout(10 * time.Second)) // Deadline enforcement
s.Use(gomcp.RateLimit(100)) // 100 calls/minute
s.Use(gomcp.OpenTelemetry()) // Distributed tracing
// Pick one: BearerAuth (token required on initialize too) or BearerAuthSkipHandshake (initialize/ping anonymous).
s.Use(gomcp.BearerAuthSkipHandshake(tokenValidator))
s.Use(gomcp.APIKeyAuthSkipHandshake("X-API-Key", keyValidator))
Custom middleware:
func AuditLog() gomcp.Middleware {
return func(ctx *gomcp.Context, next func() error) error {
start := time.Now()
err := next()
log.Printf("tool=%s duration=%s err=%v", ctx.String("_tool_name"), time.Since(start), err)
return err
}
}
Tool Groups
user := s.Group("user", authMiddleware)
user.Tool("get", "Get user", getUser) // β user.get
user.Tool("update", "Update user", updateUser) // β user.update
admin := user.Group("admin", gomcp.RequireRole("admin"))
admin.Tool("delete", "Delete user", deleteUser) // β user.admin.delete
Adapters
Gin β one line to import your existing API:
adapter.ImportGin(s, ginRouter, adapter.ImportOptions{
IncludePaths: []string{"/api/v1/"},
})
// GET /api/v1/users/:id β Tool get_api_v1_users_by_id (id = required param)
OpenAPI β generate from Swagger docs:
adapter.ImportOpenAPI(s, "./swagger.yaml", adapter.OpenAPIOptions{
TagFilter: []string{"pets"},
ServerURL: "https://api.example.com",
})
gRPC:
adapter.ImportGRPC(s, grpcConn, adapter.GRPCOptions{
Services: []string{"user.UserService"},
})
Component Versioning
s.ToolFunc("search", "v1", searchV1, gomcp.Version("1.0"))
s.ToolFunc("search", "v2 with embeddings", searchV2, gomcp.Version("2.0"))
// "search" β latest, "search@1.0" β exact version
Async Tasks
s.AsyncTool("report", "Generate report", func(ctx *gomcp.Context) (*gomcp.CallToolResult, error) {
// long-running work
return ctx.Text("done"), nil
})
// Client gets taskId immediately, polls tasks/get, can tasks/cancel
Hot-Reload
s.LoadDir("./tools/", gomcp.DirOptions{Watch: true})
Server lifecycle, sessions & async tasks
Server.Close()β When your process or test tears down a server that usesLoadDir(..., Watch: true)or long-lived HTTP, callClose()once. It stops the YAML watch loop, the session eviction background goroutine, and the async task manager eviction loop. The call is idempotent.- Sessions β Session state is in-memory only. Identifiers come from the client
Mcp-Session-Idheader (see Streamable HTTP). Sessions idle for 30 minutes (no access via that ID) are removed; the next request with the same ID gets a new empty session. Do not rely onSessionstorage across long idle periods unless the client keeps traffic or you refresh state yourself. SetMaxConcurrentTasks(n)β Set this before the firstAsyncTool/AsyncToolFunc. After the internal task manager is created, later calls are a no-op (avoids races with in-flight work).- Shutdown vs async work β
Close()does not wait for async tool handlers that are still running; add your own timeout / wait if you need hard guarantees before exit.
MCP Inspector
s.Dev(":9090") // http://localhost:9090 β browse and test all tools
Testing
func TestSearch(t *testing.T) {
c := mcptest.NewClient(t, setupServer())
c.Initialize()
result := c.CallTool("search", map[string]any{"query": "golang"})
result.AssertNoError(t)
result.AssertContains(t, "golang")
mcptest.MatchSnapshot(t, "search_result", result)
}
Transports
s.Stdio() // Claude Desktop, Cursor, Kiro
s.HTTP(":8080") // Remote deployment with SSE
s.Handler() // Embed in existing HTTP server
// Browser clients: wrap the handler with transport.WrapCORS(h, []string{"https://your.app"}) when needed
Use with AI Clients
{
"mcpServers": {
"my-server": {
"command": "/path/to/your/binary"
}
}
}
Works with Claude Desktop, Cursor, Kiro, Windsurf, VS Code Copilot, and any MCP-compatible client.
π Roadmap
- Core: Tool, Resource, Prompt with full MCP protocol support
- Struct-tag auto schema generation + parameter validation
- Middleware chain (Logger, Recovery, RateLimit, Timeout, RequestID)
- Auth middleware (Bearer / API Key / Basic) + RBAC authorization
- Tool groups with prefix naming and nested groups
- stdio + Streamable HTTP transports with SSE notifications
- Gin adapter β import existing Gin routes as MCP tools
- OpenAPI adapter β generate tools from Swagger/OpenAPI docs
- gRPC adapter β import gRPC services as MCP tools
- OpenTelemetry integration
- mcptest package with snapshot testing
- Component versioning + deprecation
- Async tasks with polling and cancellation
- MCP Inspector web debug UI
- Hot-reload provider from YAML
- Auto-completions for prompt/resource arguments
π€ Feedback & Support
- Bug Reports: GitHub Issues
- Feature Requests: GitHub Issues
- Discussions: GitHub Discussions
π‘ Recommended reading: How To Ask Questions The Smart Way
π Security
HTTP transport and authentication
Usemiddleware runs for every JSON-RPC method (except the notificationnotifications/initialized, which has no response):initialize,tools/list,tools/call,resources/read,prompts/get,tasks/*,completion/complete, etc. UseBearerAuth/APIKeyAuth/BasicAuthwhen exposingPOST /mcp. ForAPIKeyAuth,api_key(and other merged params) come fromtools/callarguments,prompts/getarguments, orresources/readparams JSON when no header is sentβprefer headers for production.BearerAuthSkipHandshake/APIKeyAuthSkipHandshake/BasicAuthSkipHandshake(orSkipAuthForMCPMethods) letinitializeandpingrun without credentials while keeping other methods protectedβtypical for MCP HTTP clients that negotiate before sending tokens.- Request context propagates into tool, resource, and prompt handlers (deadlines,
Authorization, and injected headers from Streamable HTTP). - SSE (
GET /mcp) does not execute MCP middleware. UseWithSSEAuthwithSSEBearerAuth,SSEAPIKeyAuth,SSEBasicAuth, or your own gate. WithoutWithSSEAuth, any client that can openGETreceives broadcast notifications. - Browser
fetch: wrap your/mcphandler withtransport.WrapCORS(h, allowedOrigins)fromgithub.com/zhangpanda/gomcp/transport; never use*with credentialsβonly list trusted origins.
When deploying Streamable HTTP in production, combine TLS, authentication middleware on POST, and WithSSEAuth when notifications must not be public.
To report security vulnerabilities, see SECURITY.md.
βοΈ Copyright & License
Copyright Β© 2026 GoMCP Contributors
Licensed under the Apache License 2.0.
Important Notes
- This project is open source and free for both personal and commercial use under the Apache 2.0 license.
- You must retain the copyright notice, license text, and any attribution notices in all copies or substantial portions of the software.
- The Apache 2.0 license includes an express grant of patent rights from contributors to users.
- Contributions to this project are licensed under the same Apache 2.0 license.
- Unauthorized removal of copyright notices may result in legal action.
Patent Notice
Certain features of this framework (struct-tag schema generation, HTTP-to-MCP automatic adapter, OpenAPI-to-MCP automatic adapter) are the subject of pending patent applications. The Apache 2.0 license grants you a perpetual, worldwide, royalty-free patent license to use these features as part of this software.
β Star History
If you find GoMCP useful, please consider giving it a star! It helps others discover the project.