mcp-go. Both serve Streamable HTTP, and both are resource servers — they verify a bearer token but do not implement an OAuth authorization server or dynamic client registration. That’s the defining fact for MCP Manager: with Go you connect via the token-in-header or pre-registration modes, with any DCR handled by a separate authorization server. This page covers that path; the frameworks’ own docs are authoritative.
Serve Streamable HTTP
Both frameworks expose Streamable HTTP as anhttp.Handler:
- Official Go SDK:
mcp.NewStreamableHTTPHandler(getServer, opts)returns a handler serving a single MCP endpoint. See the repo and theauthpackage. - mcp-go:
server.NewStreamableHTTPServer(mcpServer, server.WithEndpointPath("/mcp")), with options likeWithStatefulandWithStreamableHTTPCORS. See the repo.
Authenticate as a resource server
Neither framework issues tokens or registers clients — they validate tokens an external authorization server issued, and advertise that authorization server through RFC 9728 metadata.- Official Go SDK: wrap your handler with
auth.RequireBearerToken(verifier, opts)(it returns401with aWWW-Authenticatepointing at your metadata) and serveauth.ProtectedResourceMetadataHandler(...). - mcp-go: serve
server.NewProtectedResourceMetadataHandler(...)at/.well-known/oauth-protected-resource; do token validation in your own middleware.
/register endpoint to expose. If you need DCR, put a DCR-capable authorization server in front and let the Go server validate its tokens.
MCP Manager compatibility checklist
Streamable HTTP at a fixed path
NewStreamableHTTPHandler (Go
SDK) or NewStreamableHTTPServer
(mcp-go) at a stable path; not an
SSE-only endpoint.Stateless or sticky on multi-instance
Choose token or pre-registration
Advertise the authorization server (RFC 9728)
resource set to your public
URL.Go gotchas
No dynamic client registration
No dynamic client registration
registration_endpoint on the Go server itself — use token or pre-registration. See the auth modes.Sessions held in memory
Sessions held in memory
Audience must match your public URL
Audience must match your public URL
401.Further reading
Official Go SDK
auth package for bearer verification.
