The central metadata hub for enterprise MCP governance and discovery
The ToolHive Registry Server (thv-registry-api) implements the official Model Context Protocol (MCP) Registry API specification. It serves as the centralized metadata engine for the ToolHive platform, enabling enterprises to curate, discover, and govern MCP servers with security and auditability built-in.
- Features
- Quickstart
- Core Concepts
- API Endpoints
- Configuration
- Deployment
- Development
- Documentation
- Contributing
- OAuth 2.0/OIDC authentication: Integrate with enterprise identity providers (Okta, Auth0, Azure AD)
- Multi-provider support: Combine corporate SSO with Kubernetes service accounts
- Secure by default: OAuth mode enabled by default, with granular access control
- Audit trail: Track MCP discovery and access through centralized metadata
- Curated registries: Aggregate multiple sources into a unified catalog
- Upstream verified: Sync from public MCP registries implementing the standard API
- File-based registries: Support both ToolHive and upstream
server.jsonformats - Internal custom MCPs: Manage organization-specific MCP servers
- Kubernetes discovery: Automatically discover MCPs deployed in your clusters
- Automatic synchronization: Background sync with configurable intervals and retry logic
- Central metadata hub: Powers the ToolHive Enterprise UI with MCP metadata
- ToolHive Operator integration: Provides metadata for Kubernetes-native MCP deployment
- PostgreSQL backend: Scalable database storage with automatic migrations
- Standards-compliant: Implements the official MCP Registry API specification
- Production-ready: Built-in health checks, graceful shutdown, and observability
- Go 1.23 or later (for building from source)
- Task for build automation
- PostgreSQL 16+ (optional, for database backend)
# Build the binary
task build
# Run with Git source
thv-registry-api serve --config examples/config-git.yaml
# Run with local file
thv-registry-api serve --config examples/config-file.yamlThe server starts on http://localhost:8080 by default.
# Using Task (recommended - ensures fresh state)
task docker-up
# Or detached mode
task docker-up-detached
# Access the API
curl http://localhost:8080/registry/v0.1/servers
# Stop and clean up
task docker-downNote: The
task docker-upcommand ensures a fresh start by rebuilding the image and clearing all volumes (database + registry data). This prevents stale state issues.
- Loads configuration from YAML file
- Runs database migrations automatically (if configured)
- Immediately fetches registry data from configured sources
- Starts background sync coordinator for automatic updates
- Serves MCP Registry API endpoints
The Registry Server enables enterprises to curate MCP catalogs from multiple sources, creating a unified view for developers and knowledge workers:
| Type | Description | Enterprise Use Case | Sync |
|---|---|---|---|
| API | Upstream MCP Registry APIs | Official MCP Registry (registry.modelcontextprotocol.io) or any registry implementing the upstream specification | β Auto |
| Git | Clone from Git repositories | Version-controlled internal registries | β Auto |
| File | Read from local filesystem | Simple curated lists in ToolHive or upstream format | β Auto |
| Managed | API-managed registry | Internal custom MCPs (dynamically managed) | β On-demand |
| Kubernetes | Discover from K8s deployments | Organization-deployed MCPs (live discovery) | β On-demand |
Key capability: Configure multiple registries simultaneously to create a federated catalog that combines:
- Official MCP Registry (registry.modelcontextprotocol.io) or any registry implementing the upstream specification
- Internal organization-specific MCPs
- Kubernetes-deployed MCPs
- Custom curated collections
Configuration example:
sources:
- name: local
format: toolhive
file:
path: /data/registry.json
registries:
- name: my-registry
sources:
- localFor Git-based sources:
sources:
- name: toolhive
format: toolhive
git:
repository: https://github.com/stacklok/toolhive-catalog.git
branch: main
path: pkg/catalog/toolhive/data/registry.json
syncPolicy:
interval: '30m'
registries:
- name: my-registry
sources:
- toolhiveSee Configuration Guide for complete details.
The server follows clean architecture with clear separation of concerns:
βββββββββββββββββββββββββββββββββββββββββββββββ
β API Layer (Chi Router) β
β ββ Registry API v0.1 β
β ββ Admin API v1 β
β ββ OAuth/OIDC Middleware β
βββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββ
β Service Layer (RegistryService) β
β ββ PostgreSQL backend β
βββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββ
β Data Source Layer β
β ββ Git Handler β
β ββ API Handler β
β ββ File Handler β
β ββ Managed Handler β
β ββ Kubernetes Handler β
βββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββ
β Sync Layer (Background Coordinator) β
βββββββββββββββββββββββββββββββββββββββββββββββ
Key directories:
internal/api/- HTTP API handlersinternal/service/- Business logicinternal/sources/- Data source handlersinternal/sync/- Background synchronizationinternal/auth/- OAuth/OIDC authenticationinternal/db/- Database access (sqlc generated)internal/config/- Configuration loadinginternal/app/- Application builder and startupinternal/telemetry/- OpenTelemetry integrationdatabase/- SQL migrations and queries
Fully compatible with the upstream MCP Registry API specification:
GET /registry/{registryName}/v0.1/servers- List servers from a specific registryGET /registry/{registryName}/v0.1/servers/{name}/versions- List all versions of a serverGET /registry/{registryName}/v0.1/servers/{name}/versions/{version}- Get a specific server version
Note: Git, API, File, and Kubernetes sources are read-only through the registry API.
ToolHive-specific endpoints for managing sources, registries, and entries:
Source management (requires manageSources role):
GET /v1/sources- List all configured sourcesGET /v1/sources/{name}- Get a source by namePUT /v1/sources/{name}- Create or update a sourceDELETE /v1/sources/{name}- Delete a sourceGET /v1/sources/{name}/entries- List entries for a source
Registry management (reads: authenticated; writes require manageRegistries role):
GET /v1/registries- List all configured registries with statusGET /v1/registries/{name}- Get registry details and sync statusGET /v1/registries/{name}/entries- List entries for a registryPUT /v1/registries/{name}- Create or update a registryDELETE /v1/registries/{name}- Delete a registry
Entry management (requires manageEntries role):
POST /v1/entries- Publish a server or skill entryDELETE /v1/entries/{type}/{name}/versions/{version}- Delete a published entryPUT /v1/entries/{type}/{name}/claims- Update entry claims
GET /health- Health checkGET /readiness- Readiness checkGET /version- Version informationGET /.well-known/oauth-protected-resource- OAuth discovery (RFC 9728)
- Registry API: Standards-compliant MCP discovery for clients and upstream integrations
- Admin API: Manage sources and registries, publish entries, query registry status
See the MCP Registry API specification for full API details.
All configuration is done via YAML files. The server requires a --config flag.
sources:
- name: local
format: toolhive
file:
path: /data/registry.json
registries:
- name: my-registry
sources:
- local
auth:
mode: anonymous # Use "oauth" for production
# Optional: Add a Git-based source
# sources:
# - name: toolhive
# format: toolhive
# git:
# repository: https://github.com/stacklok/toolhive-catalog.git
# branch: main
# path: pkg/catalog/toolhive/data/registry.json
# syncPolicy:
# interval: "30m"
# registries:
# - name: my-registry
# sources:
# - toolhive
# Optional: Database backend
# database:
# host: localhost
# port: 5432
# user: registry
# database: registry- Configuration reference - Complete configuration options
- Environment variables - Using environment variables for configuration
- Database setup - PostgreSQL configuration, migrations, and security
- Authentication - OAuth/OIDC setup and security
See examples/ directory for complete working examples:
config-git.yaml- Git repository sourceconfig-api.yaml- API endpoint sourceconfig-file.yaml- Local file sourceconfig-database-dev.yaml- With database (development)config-database-prod.yaml- With database (production)config-docker.yaml- For Docker Compose
Quick start with PostgreSQL (ensures fresh state):
# Start with fresh state (recommended)
task docker-up
# Or detached mode
task docker-up-detached
# View logs
task docker-logs # All logs
FOLLOW=true task docker-logs # Tail logs
# Stop and clean up
task docker-downNote: Always use
task docker-upinstead ofdocker-compose updirectly. The task command ensures fresh state by rebuilding the image and clearing volumes.
See Docker deployment guide for details.
Basic deployment:
kubectl apply -f examples/kubernetes/See Kubernetes deployment guide for production setup.
# Linux/macOS
./bin/thv-registry-api serve --config config.yaml
# With environment variables
export THV_REGISTRY_DATABASE_HOST=postgres.example.com
export THV_REGISTRY_AUTH_MODE=anonymous
./bin/thv-registry-api serve --config config.yaml- Docker & Docker Compose - Container deployment
- Kubernetes - K8s deployment, HA, and production best practices
# Build the binary
task build
# Run linting (auto-fix)
task lint-fix
# Run tests
task test
# Generate mocks
task gen
# Build container image
task build-image
# Run database migrations
task migrate-up CONFIG=examples/config-database-dev.yaml
# Regenerate documentation
task docs
# All checks (lint + test + build)
task all# Generate mocks before testing
task gen
# Run all tests
task test
# Run specific test
go test ./internal/service/... -vThe project uses table-driven tests with mocks generated via go.uber.org/mock.
cmd/thv-registry-api/ # Main application
βββ app/ # CLI commands (serve, migrate, prime-db, version)
βββ main.go
internal/ # Internal packages
βββ api/ # HTTP API handlers
βββ auth/ # OAuth/OIDC authentication
βββ config/ # Configuration loading
βββ db/ # Database access (sqlc generated)
βββ service/ # Business logic
βββ sources/ # Data source handlers (Git, API, File, Managed, Kubernetes)
βββ sync/ # Background sync coordination
βββ app/ # Application builder and startup
βββ filtering/ # Registry entry filtering
βββ telemetry/ # OpenTelemetry integration
βββ validators/ # Input validation
βββ registry/ # Registry data models
database/ # Database schema and queries
βββ migrations/ # SQL migrations
βββ queries/ # SQL queries for sqlc
examples/ # Example configurations
docs/ # Documentation
- Configuration reference - All configuration options
- Environment variables - Using environment variables for configuration
- Database setup - PostgreSQL setup and migrations
- Authentication - OAuth/OIDC security
- Kubernetes deployment - K8s deployment guide
- Docker deployment - Docker & Docker Compose
- API documentation - Auto-generated OpenAPI docs
- CLI reference - Command-line interface docs
- Examples - Working configuration examples
- CLAUDE.md - AI assistant guidance for contributors
| I want to... | See... |
|---|---|
| Get started quickly | Quickstart |
| Configure the server | Configuration reference |
| Set up PostgreSQL | Database setup |
| Enable authentication | Authentication guide |
| Deploy to Kubernetes | Kubernetes guide |
| Use Docker Compose | Docker guide |
| Contribute code | Contributing |
The Registry API server is the central metadata engine of the ToolHive platform:
- Metadata source: Provides MCP details (name, description, URL, version, branding)
- Server status: Reports sync status and availability for each registry
- Discovery experience: Powers the catalog browsing and search in the Enterprise UI
- Authentication: Enforces OAuth/OIDC access control from your identity provider
- Deployment metadata: Operator references registry data when deploying MCPs to Kubernetes
- Automated discovery: Kubernetes-deployed MCPs automatically appear in the registry
- Custom Resource binding: MCPRegistry CRDs are backed by Registry Server data
- Lifecycle management: Tracks deployed MCP versions and configurations
- Centralized control: Single source of truth for approved MCPs
- Identity integration: Seamless integration with Okta, Auth0, Azure AD, and other providers
- Kubernetes-native: All MCP execution stays within your Kubernetes boundary
- Audit trail: Track MCP discovery and consumption patterns
See the ToolHive documentation for the complete platform architecture.
We welcome contributions! Please see:
- Contributing guide - How to contribute
- Code of conduct - Community guidelines
- Security policy - Report security vulnerabilities
- CLAUDE.md - AI assistant guidance for development
- Run
task lint-fixbefore committing - Ensure tests pass with
task test - Follow Go standard project layout
- Use mockgen for test mocks (never hand-written)
- Write table-driven tests
- Keep documentation up to date
# Clone the repository
git clone https://github.com/stacklok/toolhive-registry-server.git
cd toolhive-registry-server
# Install dependencies
go mod download
# Run all checks
task all
# Make your changes...
# Run tests
task gen
task test
# Submit PRThis project is licensed under the Apache 2.0 License.
Part of the ToolHive project - Simplify and secure MCP servers