A detailed walkthrough of how Arcjet built a production MCP server in Go by integrating it directly into their existing API service rather than running it as a standalone sidecar. Key decisions covered include reusing session validation, middleware, and the data layer; designing tools around agent workflows (security briefings, anomaly detection, IP investigation, dry-run impact analysis) rather than simple API wrappers; serving OAuth discovery metadata (RFC 8414 + RFC 9728) while proxying to an external auth provider (WorkOS AuthKit); handling Dynamic Client Registration; writing effective tool descriptions with output shape, workflow hints, and annotations; and separating trusted guidance from untrusted attacker-controlled request data to prevent prompt injection.
Table of contents
A year of MCPWhy not a standalone server?The integrationDiscovery: well-known endpointsThe one hard part: OAuthGotchasThe resultSort: