Happy slice of mcp pizzaMCP.pizza
Fire in da houseTop Tip:Paying $100+ per month for Perplexity, MidJourney, Runway, ChatGPT and other tools is crazy - get all your AI tools in one site starting at $15 per month with Galaxy AI Fire in da houseCheck it out free

trusted-mcp-server

MCP.Pizza Chef: 0xfreysa

The trusted-mcp-server is a secure Gmail MCP server operating within an AWS Nitro Enclave Trusted Execution Environment. It provides a remote MCP server implementation using server-sent events (SSE) transport, enabling safe and trusted access to Gmail data. Originally forked from the Claude Post MCP server, it emphasizes security by leveraging AWS Nitro's hardware-based isolation, making it suitable for sensitive email workflows requiring strong trust guarantees.

Use This MCP server To

Access Gmail data securely within a trusted execution environment Enable remote MCP client connections to Gmail via SSE transport Protect email credentials using AWS Nitro Enclave isolation Integrate Gmail email context into AI workflows with strong security Run MCP servers remotely with hardware-backed trust guarantees

README

Trusted GMail MCP Server

This is a gmail MCP server running inside a secure AWS Nitro enclave instance. It was originally forked from the Claude Post MCP server. Most MCP servers are run locally via the stdio transport; we followed this guide to implement a remote MCP server using sse transport.

Connect to the MCP Server

To use this MCP server, you will need an app-specific password.

Then simply add the following block to your client's mcp.json file.

    "gmail_mcp": {
      "url": "https://gmail.mcp.freysa.ai/sse/?ADDR=<your.email@gmail.com>&ASP=<your app-specific password>"
    }

Note that you might have to restart your client.

Security Notice

This implementation is a proof of concept. Passing app-specific passwords in URLs is not a secure pattern because:

  • URLs can be logged by proxies, browsers and servers
  • URLs may appear in browser history
  • URLs can be leaked via the Referer header to third-party sites

Unfortunately, current MCP clients have limitations on how they connect to servers. At the moment of release, MCP specification does not define a standard authentication mechanism for SSE servers. This means we can't use more secure patterns like bearer tokens or other authorization headers that would normally be preferred.

For additional security, consider:

  1. Using a dedicated app-specific password just for this purpose
  2. Accessing this over a secure VPN or private network
  3. Running your own instance with the provided instructions

Concept

AWS Nitro Enclaves provide isolated compute environments that enhance security through hardware-based attestation. When code runs in a Nitro Enclave, the platform generates cryptographic measurements of the code's identity and state. These measurements serve as a verifiable guarantee that the code has not been modified and is executing exactly as intended, protecting against tampering or unauthorized modifications. For more information, see this blog post.

We use Nitriding to quickly deploy code in an AWS Nitro TEE.

Verify the code attestation

To verify that the intended codebase is the one running in our TEE, you must reproduce running it in an AWS Nitro enclave yourself. Instructions to do so are below. Once you have it running, you can verify it using this repository as follows.

  1. First build the code.
cd verifier

pnpm install && pnpm run build
  1. Then run the verifier locally.
cd mcp/react-ts-webpack

pnpm i && pnpm run dev
  1. Then open http://localhost:8080/ in your browser. You will be prompted to add two fields

(a) the PCR2 hash, which is a hash of the codebase

(b) the Code attestation, which is signed by AWS

  1. Click the "Verify Attestation" button

Run your own instance in a TEE

You can reproduce running this server in a TEE as follows.

  1. Use the AWS EC2 console to select a sufficiently large instance and be sure to enable Nitro.

  2. Make sure that the ports needed by your application are open by checking the security group, in "security" tab of the instance in the ec2 console.

  3. Clone this repo to your ec2 instance.

  4. Run the setup script to download all necessary dependencies.

sudo /setup.sh
  1. Allocate more memory for the enclave if necessary.
sudo nano /etc/nitro_enclaves/allocator.yaml

sudo systemctl restart nitro-enclaves-allocator.service
  1. Run the enclave.
make
  1. Run in production mode.
make run

Use your MCP server

To actually use the MCP server, you will also need to run the gvproxy, as follows.

screen
./gvproxy.sh

Then you can curl the healthcheck endpoint to confirm that the MCP server is running in the enclave.

curl http://127.0.0.1:7047/

trusted-mcp-server FAQ

How do I connect to the trusted-mcp-server?
Use an app-specific Gmail password and configure your MCP client with the provided SSE URL.
What transport protocol does the trusted-mcp-server use?
It uses server-sent events (SSE) for remote MCP client communication.
Why is AWS Nitro Enclave used for this MCP server?
AWS Nitro Enclave provides hardware-based trusted execution to securely isolate email data and credentials.
Is this MCP server suitable for production use?
This implementation is a proof of concept and should be carefully evaluated before production deployment.
Can I use this server with any MCP client?
Yes, as long as the client supports SSE transport and Gmail MCP protocol.
How do I obtain the app-specific password required?
Generate it from your Google account security settings under app passwords.
Does this server support other email providers?
Currently, it is designed specifically for Gmail within AWS Nitro Enclave.
What security benefits does this MCP server provide?
It ensures email data and credentials are processed in a hardware-isolated trusted environment.