WEBVTT

1
00:00:00.000 --> 00:00:03.000
Hi, and welcome to this AI&TCI video.

2
00:00:03.799 --> 00:00:06.500
Not on the MyFrost Agent Framework today,

3
00:00:06.539 --> 00:00:09.300
but instead the Model Context Protocol.

4
00:00:09.899 --> 00:00:15.699
So in this video, I'm going to show you that we can use MCP,

5
00:00:16.100 --> 00:00:19.799
but if we want to have it so only certain people can use it,

6
00:00:19.840 --> 00:00:22.500
we need to put some authentication onto it.

7
00:00:22.899 --> 00:00:26.799
In this video, I'm going to show you how to add an API key to it.

8
00:00:27.799 --> 00:00:30.799
So let's jump into some code.

9
00:00:32.099 --> 00:00:38.000
And this code I'm showing right here is my old sample in my previous video,

10
00:00:38.599 --> 00:00:46.200
in that we can just use the MCP NuGet package and the HPNet core

11
00:00:46.799 --> 00:00:49.599
if we want to expose them using the minimal API.

12
00:00:50.599 --> 00:00:55.400
And then we just go in and say add MCP server with HTTP transport

13
00:00:55.599 --> 00:00:57.000
with tools from assembly.

14
00:00:58.299 --> 00:01:05.000
And the tools will just be annotated with this MCP server tool type

15
00:01:05.099 --> 00:01:06.900
and an MCP server here.

16
00:01:07.699 --> 00:01:12.800
And here I'm just making a little sample tool called GetSecretWord.

17
00:01:15.099 --> 00:01:19.599
But if we look at code like this,

18
00:01:20.099 --> 00:01:26.099
we're just exposing that's MCP, but without any restrictions.

19
00:01:26.199 --> 00:01:32.400
Anyone who knows this URL that it's on will know you can just write

20
00:01:32.500 --> 00:01:34.400
that that's MCP and can be used.

21
00:01:35.000 --> 00:01:39.599
But it could be that you had some corporate data, some company data,

22
00:01:39.699 --> 00:01:43.199
some private data that you want to expose through MCP,

23
00:01:43.199 --> 00:01:49.000
and only if people knew the API key, it should be possible.

24
00:01:49.500 --> 00:01:55.500
That's a little the same as if we look at the sample about using GitHub MCP

25
00:01:55.599 --> 00:01:57.599
when we use the MCP client.

26
00:01:58.900 --> 00:02:03.599
We give a MCP server, but we give some additional headers

27
00:02:03.699 --> 00:02:07.099
with an authorization token in this case.

28
00:02:08.399 --> 00:02:10.199
So we want something similar.

29
00:02:11.199 --> 00:02:14.699
So we want something similar, but on the server side.

30
00:02:16.199 --> 00:02:22.699
And for that, we have tools calling an MCP, MCP auth, and MCP auth API key here.

31
00:02:24.699 --> 00:02:28.500
So up in this, we have almost the same as we saw before,

32
00:02:28.600 --> 00:02:32.000
but we have put in our expected API key,

33
00:02:32.100 --> 00:02:35.300
which in my case, I've just put in as my secret key.

34
00:02:35.800 --> 00:02:40.500
It should, of course, be something like a GWT or something like that,

35
00:02:40.600 --> 00:02:43.800
and it should, of course, be kept in some secret storage.

36
00:02:44.899 --> 00:02:47.899
But beyond that, after we take this,

37
00:02:49.100 --> 00:02:52.199
we just need to add an endpoint filter,

38
00:02:52.300 --> 00:02:56.600
just like you do in normal minimal API.

39
00:02:57.100 --> 00:03:00.899
So there's nothing different when it comes to just API keys.

40
00:03:01.500 --> 00:03:04.899
And the tools are also not changed in any way.

41
00:03:04.899 --> 00:03:07.300
It's just the same tool I've copied over.

42
00:03:08.600 --> 00:03:12.800
But if we do this and run the code, which I've already done,

43
00:03:12.899 --> 00:03:16.699
and we can see we are on localhost 7044,

44
00:03:17.399 --> 00:03:21.300
I can take a MCP client, like, for example, Insomnia here,

45
00:03:21.699 --> 00:03:23.300
and connect to it.

46
00:03:24.699 --> 00:03:28.500
And if I don't have any headers,

47
00:03:28.600 --> 00:03:32.600
like in my case, I call it XAPI key,

48
00:03:32.699 --> 00:03:35.000
but you could call it secret.

49
00:03:35.100 --> 00:03:37.199
You could call it authorization.

50
00:03:37.300 --> 00:03:39.699
There's no fixed standard for this.

51
00:03:40.199 --> 00:03:41.899
You can just call it what you want.

52
00:03:42.600 --> 00:03:45.300
And if I don't have this, I have something wrong.

53
00:03:46.500 --> 00:03:49.600
We will see that I get an error back,

54
00:03:50.899 --> 00:03:54.500
and we will be able to see I'm getting unauthorized.

55
00:03:55.300 --> 00:03:59.800
And the reason for that is that whenever we hit the endpoint now,

56
00:04:00.500 --> 00:04:02.399
if I press connect here,

57
00:04:03.399 --> 00:04:04.899
we hit the breakpoint,

58
00:04:05.300 --> 00:04:08.899
we on the fly take it from the request, the API key,

59
00:04:09.399 --> 00:04:12.699
and if it doesn't match what we have put in,

60
00:04:12.800 --> 00:04:14.399
our MySecret key,

61
00:04:15.100 --> 00:04:17.500
we just send back unauthorized.

62
00:04:19.600 --> 00:04:22.299
But if we go in and put the right key in,

63
00:04:22.299 --> 00:04:28.100
we then go to the normal middleware and just call the await next,

64
00:04:28.200 --> 00:04:31.200
so it sends it on in the pipeline.

65
00:04:33.000 --> 00:04:36.899
And we get multiple because it checks for various,

66
00:04:37.000 --> 00:04:40.200
what tools do we have, what resources do we have, and so on.

67
00:04:40.799 --> 00:04:42.600
And we get a connection

68
00:04:43.700 --> 00:04:47.600
where we can then call our getSecretWord.

69
00:04:47.600 --> 00:04:51.000
Where we can then call our getSecretWord,

70
00:04:52.299 --> 00:04:54.399
which in our case is banana cake here.

71
00:04:55.700 --> 00:04:58.399
So there's actually not more to it

72
00:04:58.500 --> 00:05:02.500
to make a simple authentication using an API key,

73
00:05:02.899 --> 00:05:05.000
meaning this part of the code.

74
00:05:06.200 --> 00:05:11.000
And it takes care of protecting all tools and stuff.

75
00:05:11.100 --> 00:05:15.500
You can't really put credentials on a per-tool basis.

76
00:05:15.500 --> 00:05:17.600
It's on the entire MCP or not.

77
00:05:20.399 --> 00:05:22.500
So that's what we have here.

78
00:05:23.899 --> 00:05:26.700
Some of you might be thinking, okay, we also have OAuth.

79
00:05:27.200 --> 00:05:31.399
OAuth is a very big deal in it,

80
00:05:31.500 --> 00:05:33.600
and it's very, very difficult to get working.

81
00:05:33.700 --> 00:05:36.299
I'm still in the process of making one.

82
00:05:36.700 --> 00:05:41.000
I have some code that I will commit that you can see as inspiration.

83
00:05:42.200 --> 00:05:45.100
But right now it's half working only.

84
00:05:45.500 --> 00:05:47.600
So that will be for another video.

85
00:05:48.399 --> 00:05:53.100
But if anyone with great security skills,

86
00:05:53.200 --> 00:05:55.200
because I don't have great security,

87
00:05:56.100 --> 00:05:59.600
can help me make this work, we might get a video faster.

88
00:06:01.000 --> 00:06:04.299
But it's close to working, but not 100%.

89
00:06:04.399 --> 00:06:06.700
But we will take that in another video.

90
00:06:07.200 --> 00:06:10.700
For now, you can definitely secure your endpoint

91
00:06:10.799 --> 00:06:13.100
with a simple API key like this.

92
00:06:13.100 --> 00:06:17.299
So with that, thank you for attending and see you in the next one.