Remote MCP server for read-only FreeAgent access, deployed on Cloudflare Workers.
- Federated one-shot auth for connector setup using FreeAgent OAuth.
- MCP endpoint secured with
@cloudflare/workers-oauth-provider. - Durable Object-backed auth state with encrypted token storage.
- Company mode and practice mode support from one codebase.
- Broad read-only accounting and operational tool surface for analysis workflows.
Reference docs:
- Architecture and implementation notes:
Project/freeagent-mcp-implementation/ - Capability mapping:
Project/freeagent-mcp-implementation/capability-matrix.md
- Connector setup flow:
/authorize-> FreeAgent consent ->/callback-> OAuth completion ->/mcp. - Durable Objects:
MCP_OBJECTfor MCP session/runtime behavior.AUTH_STOREfor principal auth records and pending OAuth handoff state.
- Deployment modes:
companyfor direct single-company access.practicefor practice dashboard plus client switching.
- MCP:
https://<worker-name>.<subdomain>.workers.dev/mcp - Health:
https://<worker-name>.<subdomain>.workers.dev/health - OAuth authorize:
https://<worker-name>.<subdomain>.workers.dev/authorize - OAuth callback:
https://<worker-name>.<subdomain>.workers.dev/callback
Prerequisites:
- Node.js 20+
- Cloudflare account with Wrangler auth
- FreeAgent OAuth app with callback set to
https://<worker-name>.<subdomain>.workers.dev/callback
Install and run locally:
npm install
cp .dev.vars.example .dev.vars
npm run devValidation commands:
npm run type-check
npm run test
curl -i http://localhost:8787/healthSet secrets once per environment:
npx wrangler secret put FREEAGENT_CLIENT_ID
npx wrangler secret put FREEAGENT_CLIENT_SECRET
npx wrangler secret put TOKEN_ENCRYPTION_KEYDeploy:
npx wrangler deployAfter deployment, run a repeatable company-mode smoke test:
npm run smoke:company -- https://<worker-name>.<subdomain>.workers.dev/mcpThe script will:
- dynamically register an OAuth client
- print a browser authorization URL
- wait for the local callback on
http://127.0.0.1:8090/callback - run a small MCP smoke suite after auth completes
When helping users set up this repo, follow this exact order:
- Install dependencies with
npm install. - Copy
.dev.vars.exampleto.dev.vars. - Ask the user to provide values for
FREEAGENT_CLIENT_ID,FREEAGENT_CLIENT_SECRET, andTOKEN_ENCRYPTION_KEY. - Run
npm run type-checkandnpm run testbefore starting dev or deploy steps. - Start local dev with
npm run dev. - For deployment, ensure Wrangler auth works, then run
npx wrangler deploy.
Rules for LLM agents:
- Never invent or hardcode credentials.
- Never commit
.dev.vars, real secrets, or account-specific deployment values. - Keep
wrangler.jsoncplaceholders intact in public branches. - If account-specific config is temporarily needed for testing, keep it out of the public branch or restore placeholders before publishing.
- Add your MCP URL in client settings:
https://<worker-name>.<subdomain>.workers.dev/mcp - Complete FreeAgent consent in the browser.
- In chat, run
auth_statusorget_company. - In practice mode, use
list_clientsandswitch_clientto choose an active client. - Run read-only tools.
- Practice-mode end-to-end validation depends on having a FreeAgent practice sandbox or real practice environment.
- Some FreeAgent endpoints may behave differently depending on permission level, account type, or enabled product features.
- This project is intentionally read-only for safety.
- Architecture and phased plan:
Project/freeagent-mcp-implementation/ - Capability mapping:
Project/freeagent-mcp-implementation/capability-matrix.md - Deployment modes:
Project/freeagent-mcp-implementation/deployment-modes.md - Sandbox notes:
Project/freeagent-mcp-implementation/sandbox-notes.md - Secret management:
Project/freeagent-mcp-implementation/secret-management.md - Security policy:
SECURITY.md - Contribution guide:
CONTRIBUTING.md - License:
LICENSE