Blueprint · advanced · 11 steps

Build a Shared-Skills MCP Server

A team snippet library exposed as a remote MCP server: Supabase OAuth 2.1 with dynamic client registration, workspaces with RLS-enforced sharing, and one `claude mcp add` to wire your whole team's saved prompts into Claude.

← All blueprints

Your progress0 / 11 steps· 0%

All steps

01Step 1: What We're BuildingA remote MCP server that lets your team save prompt snippets to a shared library and pull them back into Claude — Supabase OAuth 2.1 for auth, workspaces for sharing, RLS for isolation, one `claude mcp add` to wire everyone in.5 min→02Step 2: Project SetupCreate the Supabase project, scaffold the Edge Function repo, install the MCP SDK + Hono, and verify the toolchain works before we touch auth or schema.3 min→03Step 3: Database Schema & RLSThree tables — workspaces, workspace_members, snippets — wired up with Row-Level Security policies that scope reads and writes by workspace membership, so the MCP tools we write later can stay dumb.5 min→04Step 4: Enabling Supabase OAuth 2.1Turn on Supabase's built-in OAuth 2.1 server (GA in 2026), confirm dynamic client registration is enabled, and verify the well-known discovery endpoint your MCP clients will hit.4 min→05Step 5: MCP Server Skeleton + Protected Resource MetadataWire the MCP SDK into Hono, expose the Streamable HTTP endpoint, and serve the Protected Resource Metadata document that points MCP clients at Supabase's auth server.4 min→06Step 6: Validating OAuth TokensVerify incoming bearer tokens against Supabase's JWKS, check the audience binding so stolen-from-elsewhere tokens can't be replayed, and attach the resolved user to the request.5 min→07Step 7: Authenticated Supabase Client (RLS in Action)Take the verified user token and create a per-request Supabase client that runs every query as that user — RLS does the rest, so tool implementations stay short.4 min→08Step 8: Snippet Tools (list, get, save)Wire the MCP SDK in, register the first three tools with Zod-validated inputs and clear `description`s, and verify Claude (via curl + the MCP Inspector) can discover and call them.6 min→09Step 9: Sharing & Workspace ManagementAdd `share_snippet`, `list_workspaces`, `create_workspace`, and `invite_to_workspace` — exercising the owner-role check and surfacing workspace metadata so Claude can pick the right target.6 min→10Step 10: MCP Resources — Browseable Workspaces & CollectionsExpose workspaces and snippet collections as MCP *resources* so Claude can browse and read snippets without invoking a tool — useful for prompt-as-context workflows.6 min→11Step 11: Deploy + Connect Claude + Production ChecklistPush the Edge Function, run `claude mcp add`, walk the OAuth flow end-to-end, and tick through the production readiness checklist (rate limits, observability, key rotation, security review).8 min→