embabel · alexheifetz · Mar 24, 2026 · Mar 24, 2026
diff --git a/examples-common/pom.xml b/examples-common/pom.xml
@@ -36,6 +36,11 @@
             <artifactId>spring-data-commons</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>com.embabel.agent</groupId>
+            <artifactId>embabel-agent-mcp-security</artifactId>
+        </dependency>
+
     </dependencies>
 
     <build>

diff --git a/examples-common/src/main/kotlin/com/embabel/example/common/support/McpServers.kt b/examples-common/src/main/kotlin/com/embabel/example/common/support/McpServers.kt
@@ -23,4 +23,6 @@ object McpServers {
     const val NPX_WINDOWS: String = "npx-windows"
 
     const val NPX_LINUX: String = "npx-linux"
+
+    const val SECURED_PROFILE: String = "secured"
 }
diff --git a/examples-common/src/main/resources/application-secured.yml b/examples-common/src/main/resources/application-secured.yml
@@ -0,0 +1,16 @@
+spring:
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          public-key-location: classpath:keys/public.pem
+          jws-algorithms: RS256
+
+server:
+  port: 8443
+
+spring.ai.mcp.server:
+  name: embabel-secured-examples
+  version: 1.0.0
+
+embabel.agent.application.name: embabel-secured-examples
diff --git a/examples-common/src/main/resources/keys/README.txt b/examples-common/src/main/resources/keys/README.txt
@@ -0,0 +1,16 @@
+This directory holds the RSA public key used for local JWT validation.
+
+The public key is safe to commit. The private key must never be committed.
+Add **/keys/private.pem to .gitignore (already done in the repo root).
+
+Generate the key pair with:
+
+  openssl genrsa -out private.pem 2048
+  openssl rsa -in private.pem -pubout -out public.pem
+
+Keep private.pem in this directory locally for token generation.
+public.pem is read by Spring Security at startup via:
+  spring.security.oauth2.resourceserver.jwt.public-key-location=classpath:keys/public.pem
+
+For production replace public-key-location with issuer-uri or jwk-set-uri
+pointing at your real IdP in application-secured.yml.
diff --git a/examples-common/src/main/resources/keys/generate_token.py b/examples-common/src/main/resources/keys/generate_token.py
@@ -0,0 +1,17 @@
+import jwt
+import datetime
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+
+private_key = load_pem_private_key(open("private.pem", "rb").read(), password=None)
+
+token = jwt.encode(
+    {
+        "sub": "test-user",
+        "authorities": ["news:read", "market:admin"],
+        "exp": datetime.datetime.utcnow() + datetime.timedelta(hours=24)
+    },
+    private_key,
+    algorithm="RS256"
+)
+
+print(token)
diff --git a/examples-common/src/main/resources/keys/public.pem b/examples-common/src/main/resources/keys/public.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArGZqbdFlHHD4oJIPojpw
+xC24wJyYgLgowZtNY0tm3GA4K0r25SoQLnMt7xrkC1qd42mb57xANQ38e0G9FpP9
+HlpTwk1QpU4YOphSAT6CM7Ilv2BT1EFFru0W/fAp+157kMiq2AU4cVBfKZaNn6hM
+m9kwj3XX1n33DyBRgRPoZXpyVkg7fG0p1jm4f7kAee5pVtbLQPQRRGwALUgjk441
+1Zax7vxozzfsrzrl2VGzk5c+awUO98odvjfCBpjmrTPGcvTnqkTlNejFDhV6Viy6
+Mw5zkVeRhw8bubdVQR7g2Y/ja+ni5aheVxvU4IY0LaWUI3cPhcrQYjxfMfIrecjs
+yQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/examples-kotlin/pom.xml b/examples-kotlin/pom.xml
@@ -170,5 +170,33 @@
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <id>enable-secured-agent-mcp-server</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <dependencies>
+                <dependency>
+                    <groupId>com.embabel.agent</groupId>
+                    <artifactId>embabel-agent-starter-mcpserver</artifactId>
+                </dependency>
+                <dependency>
+                    <groupId>com.embabel.agent</groupId>
+                    <artifactId>embabel-agent-starter-mcpserver-security</artifactId>
+                </dependency>
+            </dependencies>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.springframework.boot</groupId>
+                        <artifactId>spring-boot-maven-plugin</artifactId>
+                        <configuration>
+                            <mainClass>com.embabel.example.KotlinAgentSecuredMcpServerApplicationKt</mainClass>
+                        </configuration>
+                        <version>${spring-boot.version}</version>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
     </profiles>
 </project>
diff --git a/...ples-kotlin/src/main/kotlin/com/embabel/example/KotlinAgentSecuredMcpServerApplication.kt b/...ples-kotlin/src/main/kotlin/com/embabel/example/KotlinAgentSecuredMcpServerApplication.kt
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2024-2026 Embabel Pty Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.embabel.example
+
+import com.embabel.example.common.support.McpServers
+import org.springframework.boot.autoconfigure.SpringBootApplication
+import org.springframework.boot.context.properties.ConfigurationPropertiesScan
+import org.springframework.boot.runApplication
+
+/**
+ * Spring Boot application that runs the secured Embabel agent MCP server.
+ *
+ * Extends the base MCP server with two additional security layers:
+ *
+ *
+ * ### Agents exposed
+ *
+ * | Agent | Required authority |
+ * |---|---|
+ * | `NewsDigestAgent` | `news:read` |
+ * | `MarketIntelligenceAgent` | `market:admin` |
+ *
+ *
+ * ### OAuth2 configuration
+ *
+ * Configure your issuer URI in `examples-common/application-secured.yml`:
+ * ```yaml
+ * spring:
+ *   security:
+ *     oauth2:
+ *       resourceserver:
+ *         jwt:
+ *           issuer-uri: https://your-idp.example.com
+ * ```
+ *
+ * MCP clients must pass a signed JWT carrying the required authorities:
+ * ```
+ * Authorization: Bearer <signed-jwt-with-required-authorities>
+ * ```
+ * Use `McpSyncHttpClientRequestCustomizer` on the client side to attach the header.
+ *
+ * @see com.embabel.agent.config.mcpserver.security.SecuredAgentSecurityConfiguration
+ * @see com.embabel.agent.config.mcpserver.security.SecureAgentToolConfiguration
+ */
+@SpringBootApplication
+@ConfigurationPropertiesScan(
+    basePackages = ["com.embabel.example"]
+)
+class KotlinAgentSecuredMcpServerApplication
+
+/**
+ * Application entry point.
+ *
+ * Activates the [McpServers.DOCKER], [McpServers.DOCKER_DESKTOP], and `secured` profiles,
+ * enabling the Docker-based MCP transport and JWT security configuration.
+ *
+ * @param args command-line arguments forwarded to Spring Boot
+ */
+fun main(args: Array<String>) {
+    runApplication<KotlinAgentSecuredMcpServerApplication>(*args) {
+        setAdditionalProfiles(
+            McpServers.DOCKER,
+            McpServers.DOCKER_DESKTOP,
+            McpServers.SECURED_PROFILE,
+        )
+    }
+}