Configuration ValidationΒΆ
MCP Gateway provides robust configuration validation tools to help operators catch misconfigurations early and ensure reliable deployments.
JSON Schema ExportΒΆ
Generate a machine-readable schema for all configuration options:
# Export schema to stdout
python -m mcpgateway.config --schema
# Save schema to file
python -m mcpgateway.config --schema > config.schema.json
Use this schema with validation tools in your deployment pipeline:
# Validate with ajv-cli
npx ajv-cli validate -s config.schema.json -d .env.json
# Validate with jsonschema (Python)
python -c "
import json, jsonschema
from mcpgateway.config import generate_settings_schema
schema = generate_settings_schema()
with open('.env.json') as f:
jsonschema.validate(json.load(f), schema)
"
Environment File ValidationΒΆ
Validate your .env file before deployment:
# Validate default .env file
python -m mcpgateway.scripts.validate_env
# Validate specific file
python -m mcpgateway.scripts.validate_env .env.example
# Use in Makefile
make check-env
The validator checks for:
- Type validation: Ensures values match expected types (integers, URLs, enums)
- Security warnings: Detects weak passwords, default secrets, insecure configurations
- Range validation: Verifies ports, timeouts, and limits are within valid ranges
- Format validation: Validates URLs, email addresses, and structured data
Example Validation OutputΒΆ
Valid ConfigurationΒΆ
$ python -m mcpgateway.scripts.validate_env .env.example
β
.env validated successfully with no warnings.
Invalid ConfigurationΒΆ
$ python -m mcpgateway.scripts.validate_env .env.invalid
β Invalid configuration: ValidationError
2 validation errors for Settings
port
Input should be greater than 0 [type=greater_than, input=-1]
log_level
Input should be 'DEBUG', 'INFO', 'WARNING', 'ERROR' or 'CRITICAL' [type=literal_error, input='INVALID']
Security WarningsΒΆ
$ python -m mcpgateway.scripts.validate_env .env.dev
β οΈ Default admin password detected! Please change PLATFORM_ADMIN_PASSWORD immediately.
β οΈ JWT_SECRET_KEY: Default/weak secret detected! Please set a strong, unique value for production.
β Configuration has security warnings. Please address them for production use.
CI/CD IntegrationΒΆ
Add validation to your deployment pipeline:
GitHub ActionsΒΆ
- name: Validate Configuration
run: |
python -m mcpgateway.scripts.validate_env .env.production
if [ $? -ne 0 ]; then
echo "Configuration validation failed"
exit 1
fi
Docker BuildΒΆ
Configuration TypesΒΆ
The following field types are strictly validated:
URLs and EndpointsΒΆ
APP_DOMAIN: Must be valid HTTP/HTTPS URLFEDERATION_PEERS: JSON array of valid URLsSSO_*_ISSUER: Valid OIDC issuer URLs
EnumerationsΒΆ
LOG_LEVEL: DEBUG, INFO, WARNING, ERROR, CRITICALCACHE_TYPE: memory, redis, databaseTRANSPORT_TYPE: http, ws, sse, all
Numeric RangesΒΆ
PORT: 1-65535DB_POOL_SIZE: Positive integerTOKEN_EXPIRY: Positive integer (minutes)
Security FieldsΒΆ
JWT_SECRET_KEY: SecretStr, minimum 32 charactersAUTH_ENCRYPTION_SECRET: SecretStr, minimum 32 characters- Password fields: Minimum 12 characters with complexity requirements
Best PracticesΒΆ
- Validate Early: Run validation in development and CI before deployment
- Use Strong Secrets: Generate cryptographically secure secrets for production
- Environment-Specific Configs: Maintain separate
.envfiles per environment - Schema Versioning: Pin schema versions in deployment scripts
- Security Scanning: Regularly audit configurations for security issues
TroubleshootingΒΆ
Common Validation ErrorsΒΆ
Invalid Port Range
Fix: Use valid port number (1-65535)Invalid URL Format
Fix: Ensure URLs include protocol (http:// or https://) Weak Secrets
JWT_SECRET_KEY: Secret should be at least 32 characters long
Admin password should be at least 8 characters long
Getting HelpΒΆ
- Use
python -m mcpgateway.config --helpfor CLI options