@modelcontextprotocol/sdk to provide MCP client communication. This ensures full protocol compliance and works with all MCP clients including VS Code, Claude, and MCP Inspector.
Transport Overview
MCP SDK Implementation
Satellite leverages the official MCP TypeScript SDK for all transport operations:Session Management
The SDK provides automatic session management with:- Session ID: Cryptographically secure identifiers
- Timeout: Configurable session timeouts
- Activity Tracking: Automatic session activity updates
- Cleanup: Built-in session cleanup and resource management
Streamable HTTP Transport
GET Endpoint
Endpoint:GET /mcp
Headers:
Accept: text/event-stream(required for SSE stream)Mcp-Session-Id: {sessionId}(optional)
POST Endpoint
Endpoint:POST /mcp
Headers:
Content-Type: application/json(required)Accept: application/json(default) ortext/event-stream(streaming)Mcp-Session-Id: {sessionId}(optional)
- Standard JSON: Direct JSON-RPC response
- SSE Streaming: Response sent via Server-Sent Events
SSE Keep-Alive Ping
When satellites are deployed behind reverse proxies (Cloudflare, nginx), idle SSE connections can timeout after 60-100 seconds, causing502 Bad Gateway errors for MCP clients.
Solution: The satellite includes an SsePingService that sends periodic SSE comments to keep connections alive:
- Ping interval: Every 30 seconds
- Ping format:
: ping\n\n(SSE comment, ignored by clients) - Automatic cleanup: Connections are removed when closed
- When a client opens an SSE connection (GET
/mcp), the session is registered - Every 30 seconds, the service sends a ping comment to all active connections
- The ping data keeps the TCP connection alive through proxy timeouts
- When the connection closes, it’s automatically unregistered
services/satellite/src/services/sse-ping-service.ts- Ping serviceservices/satellite/src/core/mcp-server-wrapper.ts- Connection registration
Supported MCP Methods
Core Protocol
initialize- Initialize MCP sessionnotifications/initialized- Client initialization complete
Tools
tools/list- List available tools from remote MCP serverstools/call- Execute tools on remote MCP servers
Resources
resources/list- List available resources from connected MCP serversresources/templates/list- List resource templates from connected MCP serversresources/read- Read resource content (proxied on-demand to origin server)
_meta Preservation: Resource metadata including
_meta fields is preserved through the proxy for MCP Apps support. Resource content is never cached — always proxied on-demand to the origin MCP server.Prompts
prompts/list- List available prompts (returns empty array)
OAuth Token Injection for HTTP/SSE Transports
When MCP servers require OAuth authentication (Notion, Box, Linear), the satellite automatically injects user OAuth tokens into HTTP requests.How It Works
- Configuration indicates OAuth: Server config includes
requires_oauth: true - Token retrieval: Satellite requests user’s tokens from backend
- Header injection: Tokens added to
Authorizationheader - Request forwarding: Full request sent to MCP server with credentials
Header Merging Priority
When building HTTP requests to OAuth MCP servers, headers are merged in this order:- Base headers (Content-Type, User-Agent, MCP-Protocol-Version)
- Server configuration headers (from
config.headers) - OAuth Authorization header (from backend token retrieval)
Example Header Merge
Team configuration:Error Handling
JSON-RPC Errors
HTTP Errors
Common Error Codes
-32600- Invalid Request-32601- Method not found-32603- Internal error-32001- Session not found (custom)
Client Integration
MCP Client Configuration
Standard Configuration:Development Setup
Local Testing
-
Start Satellite:
-
Test MCP Connection:
Protocol Features
The official MCP SDK provides:- Automatic Session Management: Sessions created and managed transparently
- Standard Protocol Compliance: Full MCP specification 2025-03-26 support
- Flexible Transport Options: JSON and SSE streaming responses
- Built-in Error Handling: Standard JSON-RPC error responses
Security Considerations
- No Authentication: Current implementation has no security layer
- Session Isolation: Sessions are isolated by cryptographic session IDs
- Resource Limits: 30-minute session timeout prevents resource exhaustion
- CORS Support: Cross-origin requests supported via preflight handling
Logging and Monitoring
All transport protocols generate structured logs with:- Operation tracking
- Session management events
- Error conditions
- Performance metrics

