Update README.md

2025-04-03 17:36:09 +05:30
29 changed files with 212 additions and 2014 deletions
--- a/.github/scripts/release.sh
+++ b/.github/scripts/release.sh
@ -1,124 +0,0 @@
 #!/bin/bash
 # Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
 #
 # This software is the property of WSO2 LLC. and its suppliers, if any.
 # Dissemination of any information or reproduction of any material contained
 # herein in any form is strictly forbidden, unless permitted by WSO2 expressly.
 # You may not alter or remove any copyright or other notice from copies of this content.
 #
 # Exit the script on any command with non-zero exit status.
 set -e
 set -o pipefail
 UPSTREAM_BRANCH="main"
 # Assign command line arguments to variables.
 GIT_TOKEN=$1
 WORK_DIR=$2
 VERSION_TYPE=$3 # possible values: major, minor, patch
 # Check if GIT_TOKEN is empty
 if [ -z "$GIT_TOKEN" ]; then
  echo "❌ Error: GIT_TOKEN is not set."
  exit 1
 fi
 # Check if WORK_DIR is empty
 if [ -z "$WORK_DIR" ]; then
  echo "❌ Error: WORK_DIR is not set."
  exit 1
 fi
 # Validate VERSION_TYPE
 if [[ "$VERSION_TYPE" != "major" && "$VERSION_TYPE" != "minor" && "$VERSION_TYPE" != "patch" ]]; then
  echo "❌ Error: VERSION_TYPE must be one of: major, minor, or patch."
  exit 1
 fi
 BUILD_DIRECTORY="$WORK_DIR/build"
 RELEASE_DIRECTORY="$BUILD_DIRECTORY/releases"
 # Navigate to the working directory.
 cd "${WORK_DIR}"
 # Create the release directory.
 if [ ! -d "$RELEASE_DIRECTORY" ]; then
  mkdir -p "$RELEASE_DIRECTORY"
 else
  rm -rf "$RELEASE_DIRECTORY"/*
 fi
 # Extract current version.
 CURRENT_VERSION=$(git describe --tags --abbrev=0 2>/dev/null || echo "0.0.0")
 IFS='.' read -r MAJOR MINOR PATCH <<< "${CURRENT_VERSION}"
 # Determine which part to increment
 case "$VERSION_TYPE" in
  major)
    MAJOR=$((MAJOR + 1))
    MINOR=0
    PATCH=0
    ;;
  minor)
    MINOR=$((MINOR + 1))
    PATCH=0
    ;;
  patch|*)
    PATCH=$((PATCH + 1))
    ;;
 esac
 NEW_VERSION="${MAJOR}.${MINOR}.${PATCH}"
 echo "Creating release packages for version $NEW_VERSION..."
 # List of supported OSes.
 oses=("linux" "linux-arm" "darwin")
 # Navigate to the release directory.
 cd "${RELEASE_DIRECTORY}"
 for os in "${oses[@]}"; do
  os_dir="../$os"
  if [ -d "$os_dir" ]; then
    release_artifact_folder="openmcpauthproxy_${os}-v${NEW_VERSION}"
    mkdir -p "$release_artifact_folder"
    cp -r $os_dir/* "$release_artifact_folder"
    # Zip the release package.
    zip_file="$release_artifact_folder.zip"
    echo "Creating $zip_file..."
    zip -r "$zip_file" "$release_artifact_folder"
    # Delete the folder after zipping.
    rm -rf "$release_artifact_folder"
    # Generate checksum file.
    sha256sum "$zip_file" | sed "s|target/releases/||" > "$zip_file.sha256"
    echo "Checksum generated for the $os package."
    echo "Release packages created successfully for $os."
  else
    echo "Skipping $os release package creation as the build artifacts are not available."
  fi
 done
 echo "Release packages created successfully in $RELEASE_DIRECTORY."
 # Navigate back to the project root directory.
 cd "${WORK_DIR}"
 # Collect all ZIP and .sha256 files in the target/releases directory.
 FILES_TO_UPLOAD=$(find build/releases -type f \( -name "*.zip" -o -name "*.sha256" \))
 # Create a release with the current version.
 TAG_NAME="v${NEW_VERSION}"
 export GITHUB_TOKEN="${GIT_TOKEN}"
 gh release create "${TAG_NAME}" ${FILES_TO_UPLOAD} --title "${TAG_NAME}" --notes "OpenMCPAuthProxy - ${TAG_NAME}" --target "${UPSTREAM_BRANCH}" || { echo "Failed to create release"; exit 1; }
 echo "Release ${TAG_NAME} created successfully."
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -1,71 +0,0 @@
 name: Build and Push container
 run-name: Build and Push container
 on:
  workflow_dispatch:
  #schedule:
  #  - cron: "0 10 * * *"
  push:
    branches:
      - 'main'
      - 'master'
    tags:
      - 'v*'
  pull_request:
    branches:
      - 'main'
      - 'master'
 env:
  IMAGE: git.kvant.cloud/${{github.repository}}
 jobs:
  build_concierge_backend:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set current time
        uses: https://github.com/gerred/actions/current-time@master
        id: current_time
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to git.kvant.cloud registry
        uses: docker/login-action@v3
        with:
          registry: git.kvant.cloud
          username: ${{ vars.ORG_PACKAGE_WRITER_USERNAME }}
          password: ${{ secrets.ORG_PACKAGE_WRITER_TOKEN }}
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          # list of Docker images to use as base name for tags
          images: |
            ${{env.IMAGE}}
          # generate Docker tags based on the following events/attributes
          tags: |
            type=schedule
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
      - name: Build and push to gitea registry
        uses: docker/build-push-action@v6
        with:
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          context: .
          provenance: mode=max
          sbom: true
          build-args: |
            BUILD_DATE=${{ steps.current_time.outputs.time }}
          cache-from: |
            type=registry,ref=${{ env.IMAGE }}:buildcache
            type=registry,ref=${{ env.IMAGE }}:${{ github.ref_name }}
            type=registry,ref=${{ env.IMAGE }}:main
          cache-to: type=registry,ref=${{ env.IMAGE }}:buildcache,mode=max,image-manifest=true
--- a/.github/workflows/pr-builder.yml
+++ b/.github/workflows/pr-builder.yml
@ -1,62 +0,0 @@
 name: Go CI
 on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
 jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    strategy:
      matrix:
        go-version: ['1.20', '1.21']
    steps:
    - name: Checkout code
      uses: actions/checkout@v3
    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: ${{ matrix.go-version }}
    - name: Get dependencies
      run: go get -v -t -d ./...
    - name: Verify dependencies
      run: go mod verify
    - name: Run go vet
      run: go vet ./...
    - name: Run tests
      run: go test -v -race -coverprofile=coverage.txt -covermode=atomic ./...
    - name: Upload coverage to Codecov
      uses: codecov/codecov-action@v3
      with:
        files: ./coverage.txt
        fail_ci_if_error: false
  build:
    name: Build
    runs-on: ubuntu-latest
    strategy:
      matrix:
        go-version: ['1.20', '1.21']
        os: [ubuntu-latest, macos-latest]
    steps:
    - name: Checkout code
      uses: actions/checkout@v3
    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: ${{ matrix.go-version }}
    - name: Build
      run: go build -v ./cmd/proxy
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -1,64 +0,0 @@
 #
 # Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
 #
 # This software is the property of WSO2 LLC. and its suppliers, if any.
 # Dissemination of any information or reproduction of any material contained
 # herein in any form is strictly forbidden, unless permitted by WSO2 expressly.
 # You may not alter or remove any copyright or other notice from copies of this content.
 #
 name: Release
 on:
  workflow_dispatch:
    inputs:
      version_type:
        type: choice
        description: Choose the type of version update
        options:
            - 'major'
            - 'minor'
            - 'patch'
        required: true
 jobs:
  update-and-release:
    runs-on: ubuntu-latest
    env:
      GOPROXY: https://proxy.golang.org
    if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
    steps:
      - uses: actions/checkout@v2
        with:
          ref: 'main'
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/checkout@v2
      - name: Set up Go 1.x
        uses: actions/setup-go@v3
        with:
          go-version: "^1.x"
      - name: Cache Go modules
        id: cache-go-modules
        uses: actions/cache@v3
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-modules-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-modules-
      - name: Install dependencies
        run: go mod download
      - name: Build and test
        run: make build
        working-directory: .
      - name: Update artifact version, package, commit, and create release.
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: bash ./.github/scripts/release.sh $GITHUB_TOKEN ${{ github.workspace }} ${{ github.event.inputs.version_type }}
--- a/.gitignore
+++ b/.gitignore
@ -18,21 +18,15 @@
 *.zip
 *.tar.gz
 *.rar
 .venv
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
 replay_pid*
 # Go module cache files
 go.sum
 # OS generated files
 .DS_Store
-# builds
+openmcpauthproxy
 build
 # test out files
 coverage.out
 coverage.html
 # IDE files
 .vscode
--- a/48
+++ b/48
@ -1,48 +0,0 @@
 FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.24@sha256:d9db32125db0c3a680cfb7a1afcaefb89c898a075ec148fdc2f0f646cc2ed509 AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
 ARG TARGETOS
 ARG TARGETARCH
 WORKDIR /workspace
 RUN apt update -qq && apt install -qq -y git bash curl g++
 # Download libraries
 ADD go.* .
 RUN go mod download
 # Build
 ADD cmd cmd
 ADD internal internal
 RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o webhook -ldflags '-w -extldflags "-static"' -o openmcpauthproxy ./cmd/proxy
 #Test
 RUN CGO_ENABLED=1 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go test -v -race ./...
 # Build production container
 FROM --platform=${BUILDPLATFORM:-linux/amd64} ubuntu:24.04
 RUN apt-get update \
    && apt-get install --no-install-recommends -y \
    python3-pip \
    python-is-python3 \
    npm \
    && apt-get autoremove \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 RUN pip install uvenv --break-system-packages
 WORKDIR /app
 COPY --from=build /workspace/openmcpauthproxy /app/
 ADD config.yaml /app
 ENTRYPOINT ["/app/openmcpauthproxy"]
 ARG IMAGE_SOURCE
 LABEL org.opencontainers.image.source=$IMAGE_SOURCE
--- a/88
+++ b/88
@ -1,88 +0,0 @@
 # Makefile for open-mcp-auth-proxy
 # Variables
 PROJECT_ROOT := $(realpath $(dir $(abspath $(lastword $(MAKEFILE_LIST)))))
 BINARY_NAME := openmcpauthproxy
 GO := go
 GOFMT := gofmt
 GOVET := go vet
 GOTEST := go test
 GOLINT := golangci-lint
 GOCOV := go tool cover
 BUILD_DIR := build
 # Source files
 SRC := $(shell find . -name "*.go" -not -path "./vendor/*")
 PKGS := $(shell go list ./... | grep -v /vendor/)
 # Set build options
 BUILD_OPTS := -v
 # Set test options
 TEST_OPTS := -v -race
 .PHONY: all clean test fmt lint vet coverage help
 # Default target
 all: lint test build-linux build-linux-arm build-darwin
 build: clean test build-linux build-linux-arm build-darwin
 build-linux:
 	mkdir -p $(BUILD_DIR)/linux
 	GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -x -ldflags "-X main.version=$(BUILD_VERSION)" \
 	-o $(BUILD_DIR)/linux/openmcpauthproxy $(PROJECT_ROOT)/cmd/proxy
 	cp config.yaml $(BUILD_DIR)/linux
 build-linux-arm:
 	mkdir -p $(BUILD_DIR)/linux-arm
 	GOOS=linux GOARCH=arm CGO_ENABLED=0 go build -x -ldflags "-X main.version=$(BUILD_VERSION)" \
 	-o $(BUILD_DIR)/linux-arm/openmcpauthproxy $(PROJECT_ROOT)/cmd/proxy
 	cp config.yaml $(BUILD_DIR)/linux-arm
 build-darwin:
 	mkdir -p $(BUILD_DIR)/darwin
 	GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -x -ldflags "-X main.version=$(BUILD_VERSION)" \
 	-o $(BUILD_DIR)/darwin/openmcpauthproxy $(PROJECT_ROOT)/cmd/proxy
 	cp config.yaml $(BUILD_DIR)/darwin
 # Clean build artifacts
 clean:
 	@echo "Cleaning build artifacts..."
 	@rm -rf $(BUILD_DIR)
 	@rm -f coverage.out
 # Run tests
 test:
 	@echo "Running tests..."
 	$(GOTEST) $(TEST_OPTS) ./...
 # Run tests with coverage report
 coverage:
 	@echo "Running tests with coverage..."
 	@$(GOTEST) -coverprofile=coverage.out ./...
 	@$(GOCOV) -func=coverage.out
 	@$(GOCOV) -html=coverage.out -o coverage.html
 	@echo "Coverage report generated in coverage.html"
 # Run gofmt
 fmt:
 	@echo "Running gofmt..."
 	@$(GOFMT) -w -s $(SRC)
 # Run go vet
 vet:
 	@echo "Running go vet..."
 	@$(GOVET) ./...
 # Show help
 help:
 	@echo "Available targets:"
 	@echo "  all        : Run lint, test, and build"
 	@echo "  build      : Build the application"
 	@echo "  clean      : Clean build artifacts"
 	@echo "  test       : Run tests"
 	@echo "  coverage   : Run tests with coverage report"
 	@echo "  fmt        : Run gofmt"
 	@echo "  vet        : Run go vet"
 	@echo "  help       : Show this help message"
--- a/README.md
+++ b/README.md
@ -1,87 +1,82 @@
 # Open MCP Auth Proxy
-A lightweight authorization proxy for Model Context Protocol (MCP) servers that enforces authorization according to the [MCP authorization specification](https://spec.modelcontextprotocol.io/specification/2025-03-26/basic/authorization/)
+The Open MCP Auth Proxy is a lightweight proxy designed to sit in front of MCP servers and enforce authorization in compliance with the [Model Context Protocol authorization](https://spec.modelcontextprotocol.io/specification/2025-03-26/basic/authorization/) requirements. It intercepts incoming requests, validates tokens, and offloads authentication and authorization to an OAuth-compliant Identity Provider.
-<a href="">[![🚀 Release](https://github.com/wso2/open-mcp-auth-proxy/actions/workflows/release.yml/badge.svg)](https://github.com/wso2/open-mcp-auth-proxy/actions/workflows/release.yml)</a>
+![image](https://github.com/user-attachments/assets/41cf6723-c488-4860-8640-8fec45006f92)
 <a href="">[![💬 Stackoverflow](https://img.shields.io/badge/Ask%20for%20help%20on-Stackoverflow-orange)](https://stackoverflow.com/questions/tagged/wso2is)</a>
 <a href="">[![💬 Discord](https://img.shields.io/badge/Join%20us%20on-Discord-%23e01563.svg)](https://discord.gg/wso2)</a>
 <a href="">[![🐦 Twitter](https://img.shields.io/twitter/follow/wso2.svg?style=social&label=Follow)](https://twitter.com/intent/follow?screen_name=wso2)</a>
 <a href="">[![📝 License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/wso2/product-is/blob/master/LICENSE)</a>
-![Architecture Diagram](https://github.com/user-attachments/assets/41cf6723-c488-4860-8640-8fec45006f92)
+## **Setup and Installation**
-## What it Does
+### **Prerequisites**
-Open MCP Auth Proxy sits between MCP clients and your MCP server to:
+* Go 1.20 or higher  
 * A running MCP server (SSE transport supported)  
 * An MCP client that supports MCP authorization 
- Intercept incoming requests
+### **Installation**
 - Validate authorization tokens
 - Offload authentication and authorization to OAuth-compliant Identity Providers
 - Support the MCP authorization protocol
-## Quick Start
+```bash
 git clone https://github.com/wso2/open-mcp-auth-proxy  
 cd open-mcp-auth-proxy  
-### Prerequisites
+go get github.com/golang-jwt/jwt/v4
 go get gopkg.in/yaml.v2
-* Go 1.20 or higher
+go build -o openmcpauthproxy ./cmd/proxy
-* A running MCP server
+```
-> If you don't have an MCP server, you can use the included example:
+## Using Open MCP Auth Proxy
 > 
 > 1. Navigate to the `resources` directory
 > 2. Set up a Python environment:
 >
 > ```bash
 > python3 -m venv .venv
 > source .venv/bin/activate
 > pip3 install -r requirements.txt
 > ```
 > 
 > 3. Start the example server:
 >
 > ```bash
 > python3 echo_server.py
 > ```
-* An MCP client that supports MCP authorization
+### Quick Start 
-### Basic Usage
+Allows you to just enable authentication and authorization for your MCP server with the preconfigured auth provider powered by Asgardeo.
-1. Download the latest release from [Github releases](https://github.com/wso2/open-mcp-auth-proxy/releases/latest).
+If you don’t have an MCP server, follow the instructions given here to start your own MCP server for testing purposes.
 1. Download [sample MCP server](resources/echo_server.py)
 2. Run the server with
 ```bash
 python3 echo_server.py
 ```
-2. Start the proxy in demo mode (uses pre-configured authentication with Asgardeo sandbox):
+#### Configure the Auth Proxy
 Update the following parameters in `config.yaml`.
 ### demo mode configuration:
 ```yaml
 mcp_server_base_url: "http://localhost:8000"  # URL of your MCP server  
 listen_port: 8080                             # Address where the proxy will listen
 ```
 #### Start the Auth Proxy
 ```bash
 ./openmcpauthproxy --demo
 ```
-> The repository comes with a default `config.yaml` file that contains the basic configuration:
+The `--demo` flag enables a demonstration mode with pre-configured authentication and authorization with a sandbox powered by [Asgardeo](https://asgardeo.io/).
 > 
 > ```yaml
 > listen_port: 8080
 > base_url: "http://localhost:8000"  # Your MCP server URL
 > paths:
 >   sse: "/sse"
 >   messages: "/messages/"
 > ```
-3. Connect using an MCP client like [MCP Inspector](https://github.com/shashimalcse/inspector)(This is a temporary fork with fixes for authentication [issues](https://github.com/modelcontextprotocol/typescript-sdk/issues/257) in the original implementation)
+#### Connect Using an MCP Client
-## Connect an Identity Provider
+You can use this improved fork of [MCP Inspector](https://github.com/shashimalcse/inspector) to test the connection and try out the complete authorization flow.
-### Asgardeo
+### Use with Asgardeo
-To enable authorization through your Asgardeo organization:
+Enable authorization for the MCP server through your own Asgardeo organization
-1. [Register](https://asgardeo.io/signup) and create an organization in Asgardeo
+1. [Register]([url](https://asgardeo.io/signup)) and create an organization in Asgardeo
-2. Create an [M2M application](https://wso2.com/asgardeo/docs/guides/applications/register-machine-to-machine-app/)
+2. Now, you need to authorize the OpenMCPAuthProxy to allow dynamically registering MCP Clients as applications in your organization. To do that,
-    1. [Authorize this application](https://wso2.com/asgardeo/docs/guides/applications/register-machine-to-machine-app/#authorize-the-api-resources-for-the-app) to invoke "Application Management API" with the `internal_application_mgt_create` scope
+   1. Create an [M2M application](https://wso2.com/asgardeo/docs/guides/applications/register-machine-to-machine-app/)  
-      ![image](https://github.com/user-attachments/assets/0bd57cac-1904-48cc-b7aa-0530224bc41a)
+         1. [Authorize this application](https://wso2.com/asgardeo/docs/guides/applications/register-machine-to-machine-app/#authorize-the-api-resources-for-the-app) to invoke “Application Management API” with the `internal_application_mgt_create` scope. 
-   
+             ![image](https://github.com/user-attachments/assets/0bd57cac-1904-48cc-b7aa-0530224bc41a)
-3. Update `config.yaml` with the following parameters.
+         2. Note the **Client ID** and **Client secret** of this application. This is required by the auth proxy 
 #### Configure the Auth Proxy
 Create a configuration file config.yaml with the following parameters:
 ```yaml
-base_url: "http://localhost:8000"  # URL of your MCP server  
+mcp_server_base_url: "http://localhost:8000"  # URL of your MCP server  
 listen_port: 8080                             # Address where the proxy will listen
 asgardeo:                                     
@ -90,137 +85,31 @@ asgardeo:
  client_secret: "<client_secret>"            # Client secret of the M2M app
 ```
-4. Start the proxy with Asgardeo integration:
+#### Start the Auth Proxy
 ```bash
 ./openmcpauthproxy --asgardeo
 ```
-### Other OAuth Providers
+### Use with any standard OAuth Server
- [Auth0](docs/integrations/Auth0.md)
+Enable authorization for the MCP server with a compliant OAuth server
 - [Keycloak](docs/integrations/keycloak.md)
-# Advanced Configuration
+#### Configuration
-### Transport Modes
+Create a configuration file config.yaml with the following parameters:
 The proxy supports two transport modes:
 - **SSE Mode (Default)**: For Server-Sent Events transport
 - **stdio Mode**: For MCP servers that use stdio transport
 When using stdio mode, the proxy:
 - Starts an MCP server as a subprocess using the command specified in the configuration
 - Communicates with the subprocess through standard input/output (stdio)
 - **Note**: Any commands specified (like `npx` in the example below) must be installed on your system first
 To use stdio mode:
 ```bash
 ./openmcpauthproxy --demo --stdio
 ```
 #### Example: Running an MCP Server as a Subprocess
 1. Configure stdio mode in your `config.yaml`:
 ```yaml
-listen_port: 8080
+mcp_server_base_url: "http://localhost:8000"  # URL of your MCP server  
-base_url: "http://localhost:8000" 
+listen_port: 8080                             # Address where the proxy will listen
 stdio:
  enabled: true
  user_command: "npx -y @modelcontextprotocol/server-github"  # Example using a GitHub MCP server
  env:                           # Environment variables (optional)
    - "GITHUB_PERSONAL_ACCESS_TOKEN=gitPAT"
 # CORS configuration
 cors:
  allowed_origins:
    - "http://localhost:5173"  # Origin of your client application
  allowed_methods:
    - "GET"
    - "POST"
    - "PUT"
    - "DELETE"
  allowed_headers:
    - "Authorization"
    - "Content-Type"
  allow_credentials: true
 # Demo configuration for Asgardeo
 demo:
  org_name: "openmcpauthdemo"
  client_id: "N0U9e_NNGr9mP_0fPnPfPI0a6twa"
  client_secret: "qFHfiBp5gNGAO9zV4YPnDofBzzfInatfUbHyPZvM0jka"    
 ```
 **TODO**: Update the configs for a standard OAuth Server.
-2. Run the proxy with stdio mode:
+#### Start the Auth Proxy
 ```bash
-./openmcpauthproxy --demo
+./openmcpauthproxy
 ```
 #### Integrating with existing OAuth Providers
-The proxy will:
+ - [Auth0](docs/Auth0.md) - Enable authorization for the MCP server through your Auth0 organization.
 - Start the MCP server as a subprocess using the specified command
 - Handle all authorization requirements
 - Forward messages between clients and the server
 ### Complete Configuration Reference
 ```yaml
 # Common configuration
 listen_port: 8080
 base_url: "http://localhost:8000"
 port: 8000
 # Path configuration
 paths:
  sse: "/sse"
  messages: "/messages/"
 # Transport mode
 transport_mode: "sse"  # Options: "sse" or "stdio"
 # stdio-specific configuration (used only in stdio mode)
 stdio:
  enabled: true
  user_command: "npx -y @modelcontextprotocol/server-github"  # Command to start the MCP server (requires npx to be installed)
  work_dir: ""  # Optional working directory for the subprocess
 # CORS configuration
 cors:
  allowed_origins:
    - "http://localhost:5173"
  allowed_methods:
    - "GET"
    - "POST"
    - "PUT"
    - "DELETE"
  allowed_headers:
    - "Authorization"
    - "Content-Type"
  allow_credentials: true
 # Demo configuration for Asgardeo
 demo:
  org_name: "openmcpauthdemo"
  client_id: "N0U9e_NNGr9mP_0fPnPfPI0a6twa"
  client_secret: "qFHfiBp5gNGAO9zV4YPnDofBzzfInatfUbHyPZvM0jka"  
 # Asgardeo configuration (used with --asgardeo flag)
 asgardeo:
  org_name: "<org_name>"
  client_id: "<client_id>"
  client_secret: "<client_secret>"
 ```
 ### Build from source
 ```bash
 git clone https://github.com/wso2/open-mcp-auth-proxy
 cd open-mcp-auth-proxy
 go get github.com/golang-jwt/jwt/v4 gopkg.in/yaml.v2
 go build -o openmcpauthproxy ./cmd/proxy
 ```
--- a/cmd/proxy/main.go
+++ b/cmd/proxy/main.go
@ -3,71 +3,31 @@ package main
 import (
 	"flag"
 	"fmt"
 	"log"
 	"net/http"
 	"os"
 	"os/signal"
 	"syscall"
 	"time"
 	"github.com/wso2/open-mcp-auth-proxy/internal/authz"
 	"github.com/wso2/open-mcp-auth-proxy/internal/config"
 	"github.com/wso2/open-mcp-auth-proxy/internal/constants"
 	logger "github.com/wso2/open-mcp-auth-proxy/internal/logging"
 	"github.com/wso2/open-mcp-auth-proxy/internal/proxy"
 	"github.com/wso2/open-mcp-auth-proxy/internal/subprocess"
 	"github.com/wso2/open-mcp-auth-proxy/internal/util"
 )
 func main() {
 	demoMode := flag.Bool("demo", false, "Use Asgardeo-based provider (demo).")
 	asgardeoMode := flag.Bool("asgardeo", false, "Use Asgardeo-based provider (asgardeo).")
 	debugMode := flag.Bool("debug", false, "Enable debug logging")
 	stdioMode := flag.Bool("stdio", false, "Use stdio transport mode instead of SSE")
 	flag.Parse()
 	logger.SetDebug(*debugMode)
 	// 1. Load config
 	cfg, err := config.LoadConfig("config.yaml")
 	if err != nil {
-		logger.Error("Error loading config: %v", err)
+		log.Fatalf("Error loading config: %v", err)
 		os.Exit(1)
 	}
-	// Override transport mode if stdio flag is set
+	// 2. Create the chosen provider
 	if *stdioMode {
 		cfg.TransportMode = config.StdioTransport
 		// Ensure stdio is enabled
 		cfg.Stdio.Enabled = true
 		// Re-validate config
 		if err := cfg.Validate(); err != nil {
 			logger.Error("Configuration error: %v", err)
 			os.Exit(1)
 		}
 	}
 	logger.Info("Using transport mode: %s", cfg.TransportMode)
 	logger.Info("Using MCP server base URL: %s", cfg.BaseURL)
 	logger.Info("Using MCP paths: SSE=%s, Messages=%s", cfg.Paths.SSE, cfg.Paths.Messages)
 	// 2. Start subprocess if configured and in stdio mode
 	var procManager *subprocess.Manager
 	if cfg.TransportMode == config.StdioTransport && cfg.Stdio.Enabled {
 		// Ensure all required dependencies are available
 		if err := subprocess.EnsureDependenciesAvailable(cfg.Stdio.UserCommand); err != nil {
 			logger.Warn("%v", err)
 			logger.Warn("Subprocess may fail to start due to missing dependencies")
 		}
 		procManager = subprocess.NewManager()
 		if err := procManager.Start(cfg); err != nil {
 			logger.Warn("Failed to start subprocess: %v", err)
 		}
 	} else if cfg.TransportMode == config.SSETransport {
 		logger.Info("Using SSE transport mode, not starting subprocess")
 	}
 	// 3. Create the chosen provider
 	var provider authz.Provider
 	if *demoMode {
 		cfg.Mode = "demo"
@ -86,49 +46,41 @@ func main() {
 		provider = authz.NewDefaultProvider(cfg)
 	}
-	// 4. (Optional) Fetch JWKS if you want local JWT validation
+	// 3. (Optional) Fetch JWKS if you want local JWT validation
 	if err := util.FetchJWKS(cfg.JWKSURL); err != nil {
-		logger.Error("Failed to fetch JWKS: %v", err)
+		log.Fatalf("Failed to fetch JWKS: %v", err)
 		os.Exit(1)
 	}
-	// 5. Build the main router
+	// 4. Build the main router
 	mux := proxy.NewRouter(cfg, provider)
-	listen_address := fmt.Sprintf("0.0.0.0:%d", cfg.ListenPort)
+	listen_address := fmt.Sprintf(":%d", cfg.ListenPort)
-	// 6. Start the server
+	// 5. Start the server
 	srv := &http.Server{
 		Addr:    listen_address,
 		Handler: mux,
 	}
 	go func() {
-		logger.Info("Server listening on %s", listen_address)
+		log.Printf("Server listening on %s", listen_address)
 		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-			logger.Error("Server error: %v", err)
+			log.Fatalf("Server error: %v", err)
 			os.Exit(1)
 		}
 	}()
-	// 7. Wait for shutdown signal
+	// 6. Graceful shutdown on Ctrl+C
 	stop := make(chan os.Signal, 1)
-	signal.Notify(stop, os.Interrupt, syscall.SIGTERM)
+	signal.Notify(stop, os.Interrupt)
 	<-stop
-	logger.Info("Shutting down...")
+	log.Println("Shutting down...")
 	// 8. First terminate subprocess if running
 	if procManager != nil && procManager.IsRunning() {
 		procManager.Shutdown()
 	}
 	// 9. Then shutdown the server
 	logger.Info("Shutting down HTTP server...")
 	shutdownCtx, cancel := proxy.NewShutdownContext(5 * time.Second)
 	defer cancel()
 	if err := srv.Shutdown(shutdownCtx); err != nil {
-		logger.Error("HTTP server shutdown error: %v", err)
+		log.Printf("Shutdown error: %v", err)
 	}
-	logger.Info("Stopped.")
+	log.Println("Stopped.")
 }
--- a/config.yaml
+++ b/config.yaml
@ -1,28 +1,22 @@
 # config.yaml
-# Common configuration for all transport modes
+mcp_server_base_url: ""
 listen_port: 8080
 base_url: "http://localhost:8000" # Base URL for the MCP server
 port: 8000 # Port for the MCP server
 timeout_seconds: 10
 mcp_paths:
  - /messages/
  - /sse
-# Transport mode configuration
+path_mapping:
-transport_mode: "stdio" # Options: "sse" or "stdio"
+  /token: /token
  /register: /register
  /authorize: /authorize
  /.well-known/oauth-authorization-server: /.well-known/oauth-authorization-server
 # stdio-specific configuration (used only when transport_mode is "stdio")
 stdio:
  enabled: true
  user_command: uvx mcp-server-time --local-timezone=Europe/Zurich
  #user_command: "npx -y @modelcontextprotocol/server-github"
  work_dir: "" # Working directory (optional)
  # env:                           # Environment variables (optional)
  #   - "NODE_ENV=development"
 # CORS settings
 cors:
  allowed_origins:
-    - "http://localhost:6274"  # Origin of your frontend/client app
+    - ""
  allowed_methods:
    - "GET"
    - "POST"
@ -31,26 +25,29 @@ cors:
  allowed_headers:
    - "Authorization"
    - "Content-Type"
    - "mcp-protocol-version"
  allow_credentials: true
-# Keycloak endpoint path mappings
+demo:
-path_mapping:
+  org_name: "openmcpauthdemo"
-  sse: "/sse" # SSE endpoint path
+  client_id: "N0U9e_NNGr9mP_0fPnPfPI0a6twa"
-  messages: "/messages/" # Messages endpoint path
+  client_secret: "qFHfiBp5gNGAO9zV4YPnDofBzzfInatfUbHyPZvM0jka"
-  /token: /realms/master/protocol/openid-connect/token
+
-  /register: /realms/master/clients-registrations/openid-connect
+asgardeo:
  org_name: "<org_name>"
  client_id: "<client_id>"
  client_secret: "<client_secret>"
 # Keycloak configuration block
 default:
-  base_url: "https://iam.phoenix-systems.ch"
+  base_url: "<base_url>"
-  jwks_url: "https://iam.phoenix-systems.ch/realms/kvant/protocol/openid-connect/certs"  
+  jwks_url: "<jwks_url>"
  path:
    /.well-known/oauth-authorization-server:
      response:
-        issuer: "https://iam.phoenix-systems.ch/realms/kvant"
+        issuer: "<issuer>"
-        jwks_uri: "https://iam.phoenix-systems.ch/realms/kvant/protocol/openid-connect/certs"
+        jwks_uri: "<jwks_uri>"
-        authorization_endpoint: "https://iam.phoenix-systems.ch/realms/kvant/protocol/openid-connect/auth"
+        authorization_endpoint: "<authorization_endpoint>" # Optional
        token_endpoint: "<token_endpoint>" # Optional
        registration_endpoint: "<registration_endpoint>" # Optional
        response_types_supported: 
          - "code"
        grant_types_supported:
@ -58,8 +55,17 @@ default:
          - "refresh_token"
        code_challenge_methods_supported:
          - "S256"
-          - "plain"
+          - "plain"  
    /authroize:
      addQueryParams:
        - name: "<name>"
          value: "<value>"
    /token:
      addBodyParams:
-        - name: "audience"
+        - name: "<name>"
-          value: "mcp_proxy"
+          value: "<value>"
    /register:
      addBodyParams:
        - name: "<name>"
          value: "<value>"
--- a/docs/integrations/Auth0.md
+++ b/docs/integrations/Auth0.md
@ -4,7 +4,7 @@ This guide will help you configure Open MCP Auth Proxy to use Auth0 as your iden
 ### Prerequisites
- An Auth0 organization (sign up [here](https://auth0.com) if you don't have one)
+- An Auth0 organization (sign up here if you don't have one)
 - Open MCP Auth Proxy installed
 ### Setting Up Auth0
@ -28,17 +28,9 @@ Update your `config.yaml` with Auth0 settings:
 ```yaml
 # Basic proxy configuration
 mcp_server_base_url: "http://localhost:8000"
 listen_port: 8080
-base_url: "http://localhost:8000"
+timeout_seconds: 10
 port: 8000
 # Path configuration
 paths:
  sse: "/sse"
  messages: "/messages/"
 # Transport mode
 transport_mode: "sse"
 # CORS configuration
 cors:
--- a/docs/integrations/keycloak.md
+++ b/docs/integrations/keycloak.md
@ -1,92 +0,0 @@
 ## Integrating Open MCP Auth Proxy with Keycloak
 This guide walks you through configuring the Open MCP Auth Proxy to authenticate using Keycloak as the identity provider.
 ---
 ### Prerequisites
 Before you begin, ensure you have the following:
 - A running Keycloak instance
 - Open MCP Auth Proxy installed and accessible
 ---
 ### Step 1: Configure Keycloak for Client Registration
 Set up dynamic client registration in your Keycloak realm by following the [Keycloak client registration guide](https://www.keycloak.org/securing-apps/client-registration).
 ---
 ### Step 2: Configure Open MCP Auth Proxy
 Update the `config.yaml` file in your Open MCP Auth Proxy setup using your Keycloak realm's [OIDC settings](https://www.keycloak.org/securing-apps/oidc-layers). Below is an example configuration:
 ```yaml
 # Proxy server configuration
 listen_port: 8081                 # Port for the auth proxy
 base_url: "http://localhost:8000" # Base URL of the MCP server
 port: 8000                        # MCP server port
 # Define path mappings
 paths:
  sse: "/sse"
  messages: "/messages/"
 # Set the transport mode
 transport_mode: "sse"
 # CORS settings
 cors:
  allowed_origins:
    - "http://localhost:5173"  # Origin of your frontend/client app
  allowed_methods:
    - "GET"
    - "POST"
    - "PUT"
    - "DELETE"
  allowed_headers:
    - "Authorization"
    - "Content-Type"
    - "mcp-protocol-version"
  allow_credentials: true
 # Keycloak endpoint path mappings
 path_mapping:
  /token: /realms/master/protocol/openid-connect/token
  /register: /realms/master/clients-registrations/openid-connect
 # Keycloak configuration block
 default:
  base_url: "http://localhost:8080"
  jwks_url: "http://localhost:8080/realms/master/protocol/openid-connect/certs"
  path:
    /.well-known/oauth-authorization-server:
      response:
        issuer: "http://localhost:8080/realms/master"
        jwks_uri: "http://localhost:8080/realms/master/protocol/openid-connect/certs"
        authorization_endpoint: "http://localhost:8080/realms/master/protocol/openid-connect/auth"
        response_types_supported: 
          - "code"
        grant_types_supported:
          - "authorization_code"
          - "refresh_token"
        code_challenge_methods_supported:
          - "S256"
          - "plain"
    /token:
      addBodyParams:
        - name: "audience"
          value: "mcp_proxy"
 ```
 ### Step 3: Start the Auth Proxy
 Launch the proxy with the updated Keycloak configuration:
 ```bash
 ./openmcpauthproxy
 ```
 Once running, the proxy will handle authentication requests through your configured Keycloak realm.
--- a/go.mod
+++ b/go.mod
@ -1,6 +1,6 @@
 module github.com/wso2/open-mcp-auth-proxy
-go 1.21
+go 1.22.3
 require (
 	github.com/golang-jwt/jwt/v4 v4.5.2
--- a/go.sum
+++ b/go.sum
@ -1,6 +0,0 @@
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
--- a/internal/authz/asgardeo.go
+++ b/internal/authz/asgardeo.go
@ -7,13 +7,13 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"log"
 	"math/rand"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/wso2/open-mcp-auth-proxy/internal/config"
 	"github.com/wso2/open-mcp-auth-proxy/internal/logging"
 )
 type asgardeoProvider struct {
@ -31,7 +31,6 @@ func (p *asgardeoProvider) WellKnownHandler() http.HandlerFunc {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONS")
 		w.Header().Set("X-Accel-Buffering", "no")
 		if r.Method == http.MethodOptions {
 			w.WriteHeader(http.StatusNoContent)
@ -71,9 +70,8 @@ func (p *asgardeoProvider) WellKnownHandler() http.HandlerFunc {
 		}
 		w.Header().Set("Content-Type", "application/json")
 		w.Header().Set("X-Accel-Buffering", "no")
 		if err := json.NewEncoder(w).Encode(response); err != nil {
-			logger.Error("Error encoding well-known: %v", err)
+			log.Printf("[asgardeoProvider] Error encoding well-known: %v", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 		}
 	}
@ -85,7 +83,6 @@ func (p *asgardeoProvider) RegisterHandler() http.HandlerFunc {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONS")
 		w.Header().Set("X-Accel-Buffering", "no")
 		if r.Method == http.MethodOptions {
 			w.WriteHeader(http.StatusNoContent)
@ -98,7 +95,7 @@ func (p *asgardeoProvider) RegisterHandler() http.HandlerFunc {
 		var regReq RegisterRequest
 		if err := json.NewDecoder(r.Body).Decode(&regReq); err != nil {
-			logger.Error("Reading register request: %v", err)
+			log.Printf("ERROR: reading register request: %v", err)
 			http.Error(w, "Invalid request body", http.StatusBadRequest)
 			return
 		}
@ -112,7 +109,7 @@ func (p *asgardeoProvider) RegisterHandler() http.HandlerFunc {
 		regReq.ClientSecret = randomString(16)
 		if err := p.createAsgardeoApplication(regReq); err != nil {
-			logger.Warn("Asgardeo application creation failed: %v", err)
+			log.Printf("WARN: Asgardeo application creation failed: %v", err)
 			// Optionally http.Error(...) if you want to fail
 			// or continue to return partial data.
 		}
@ -127,10 +124,9 @@ func (p *asgardeoProvider) RegisterHandler() http.HandlerFunc {
 		}
 		w.Header().Set("Content-Type", "application/json")
 		w.Header().Set("X-Accel-Buffering", "no")
 		w.WriteHeader(http.StatusCreated)
 		if err := json.NewEncoder(w).Encode(resp); err != nil {
-			logger.Error("Encoding /register response: %v", err)
+			log.Printf("ERROR: encoding /register response: %v", err)
 			http.Error(w, "Internal server error", http.StatusInternalServerError)
 		}
 	}
@ -190,7 +186,7 @@ func (p *asgardeoProvider) createAsgardeoApplication(regReq RegisterRequest) err
 		return fmt.Errorf("Asgardeo creation error (%d): %s", resp.StatusCode, string(respBody))
 	}
-	logger.Info("Created Asgardeo application for clientID=%s", regReq.ClientID)
+	log.Printf("INFO: Created Asgardeo application for clientID=%s", regReq.ClientID)
 	return nil
 }
@ -206,11 +202,8 @@ func (p *asgardeoProvider) getAsgardeoAdminToken() (string, error) {
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	// Sensitive data - should not be logged at INFO level
 	auth := p.cfg.Demo.ClientID + ":" + p.cfg.Demo.ClientSecret
 	req.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(auth)))
 	logger.Debug("Requesting admin token for Asgardeo with client ID: %s", p.cfg.Demo.ClientID)
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
@ -241,10 +234,6 @@ func (p *asgardeoProvider) getAsgardeoAdminToken() (string, error) {
 		return "", fmt.Errorf("failed to parse token JSON: %w", err)
 	}
 	// Don't log the actual token at info level, only at debug level
 	logger.Debug("Received access token: %s", tokenResp.AccessToken)
 	logger.Info("Successfully obtained admin token from Asgardeo")
 	return tokenResp.AccessToken, nil
 }
--- a/internal/authz/default.go
+++ b/internal/authz/default.go
@ -5,7 +5,6 @@ import (
 	"net/http"
 	"github.com/wso2/open-mcp-auth-proxy/internal/config"
 	"github.com/wso2/open-mcp-auth-proxy/internal/logging"
 )
 type defaultProvider struct {
@ -82,7 +81,6 @@ func (p *defaultProvider) WellKnownHandler() http.HandlerFunc {
 				w.Header().Set("Content-Type", "application/json")
 				if err := json.NewEncoder(w).Encode(response); err != nil {
 					logger.Error("Error encoding well-known response: %v", err)
 					http.Error(w, "Internal server error", http.StatusInternalServerError)
 				}
 				return
--- a/internal/authz/default_test.go
+++ b/internal/authz/default_test.go
@ -1,125 +0,0 @@
 package authz
 import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/wso2/open-mcp-auth-proxy/internal/config"
 )
 func TestNewDefaultProvider(t *testing.T) {
 	cfg := &config.Config{}
 	provider := NewDefaultProvider(cfg)
 	if provider == nil {
 		t.Fatal("Expected non-nil provider")
 	}
 	// Ensure it implements the Provider interface
 	var _ Provider = provider
 }
 func TestDefaultProviderWellKnownHandler(t *testing.T) {
 	// Create a config with a custom well-known response
 	cfg := &config.Config{
 		Default: config.DefaultConfig{
 			Path: map[string]config.PathConfig{
 				"/.well-known/oauth-authorization-server": {
 					Response: &config.ResponseConfig{
 						Issuer:                        "https://test-issuer.com",
 						JwksURI:                       "https://test-issuer.com/jwks",
 						ResponseTypesSupported:        []string{"code"},
 						GrantTypesSupported:           []string{"authorization_code"},
 						CodeChallengeMethodsSupported: []string{"S256"},
 					},
 				},
 			},
 		},
 	}
 	provider := NewDefaultProvider(cfg)
 	handler := provider.WellKnownHandler()
 	// Create a test request
 	req := httptest.NewRequest("GET", "/.well-known/oauth-authorization-server", nil)
 	req.Host = "test-host.com"
 	req.Header.Set("X-Forwarded-Proto", "https")
 	// Create a response recorder
 	w := httptest.NewRecorder()
 	// Call the handler
 	handler(w, req)
 	// Check response status
 	if w.Code != http.StatusOK {
 		t.Errorf("Expected status OK, got %v", w.Code)
 	}
 	// Verify content type
 	contentType := w.Header().Get("Content-Type")
 	if contentType != "application/json" {
 		t.Errorf("Expected Content-Type: application/json, got %s", contentType)
 	}
 	// Decode and check the response body
 	var response map[string]interface{}
 	if err := json.NewDecoder(w.Body).Decode(&response); err != nil {
 		t.Fatalf("Failed to decode response JSON: %v", err)
 	}
 	// Check expected values
 	if response["issuer"] != "https://test-issuer.com" {
 		t.Errorf("Expected issuer=https://test-issuer.com, got %v", response["issuer"])
 	}
 	if response["jwks_uri"] != "https://test-issuer.com/jwks" {
 		t.Errorf("Expected jwks_uri=https://test-issuer.com/jwks, got %v", response["jwks_uri"])
 	}
 	if response["authorization_endpoint"] != "https://test-host.com/authorize" {
 		t.Errorf("Expected authorization_endpoint=https://test-host.com/authorize, got %v", response["authorization_endpoint"])
 	}
 }
 func TestDefaultProviderHandleOPTIONS(t *testing.T) {
 	provider := NewDefaultProvider(&config.Config{})
 	handler := provider.WellKnownHandler()
 	// Create OPTIONS request
 	req := httptest.NewRequest("OPTIONS", "/.well-known/oauth-authorization-server", nil)
 	w := httptest.NewRecorder()
 	// Call the handler
 	handler(w, req)
 	// Check response
 	if w.Code != http.StatusNoContent {
 		t.Errorf("Expected status NoContent for OPTIONS request, got %v", w.Code)
 	}
 	// Check CORS headers
 	if w.Header().Get("Access-Control-Allow-Origin") != "*" {
 		t.Errorf("Expected Access-Control-Allow-Origin: *, got %s", w.Header().Get("Access-Control-Allow-Origin"))
 	}
 	if w.Header().Get("Access-Control-Allow-Methods") != "GET, OPTIONS" {
 		t.Errorf("Expected Access-Control-Allow-Methods: GET, OPTIONS, got %s", w.Header().Get("Access-Control-Allow-Methods"))
 	}
 }
 func TestDefaultProviderInvalidMethod(t *testing.T) {
 	provider := NewDefaultProvider(&config.Config{})
 	handler := provider.WellKnownHandler()
 	// Create POST request (which should be rejected)
 	req := httptest.NewRequest("POST", "/.well-known/oauth-authorization-server", nil)
 	w := httptest.NewRecorder()
 	// Call the handler
 	handler(w, req)
 	// Check response
 	if w.Code != http.StatusMethodNotAllowed {
 		t.Errorf("Expected status MethodNotAllowed for POST request, got %v", w.Code)
 	}
 }
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -1,35 +1,12 @@
 package config
 import (
 	"fmt"
 	"os"
 	"gopkg.in/yaml.v2"
 )
-// Transport mode for MCP server
+// AsgardeoConfig groups all Asgardeo-specific fields
 type TransportMode string
 const (
 	SSETransport   TransportMode = "sse"
 	StdioTransport TransportMode = "stdio"
 )
 // Common path configuration for all transport modes
 type PathsConfig struct {
 	SSE       string `yaml:"sse"`
 	Messages  string `yaml:"messages"`
 }
 // StdioConfig contains stdio-specific configuration
 type StdioConfig struct {
 	Enabled     bool     `yaml:"enabled"`
 	UserCommand string   `yaml:"user_command"` // The command provided by the user
 	WorkDir     string   `yaml:"work_dir"`     // Working directory (optional)
 	Args        []string `yaml:"args,omitempty"` // Additional arguments
 	Env         []string `yaml:"env,omitempty"`  // Environment variables
 }
 type DemoConfig struct {
 	ClientID     string `yaml:"client_id"`
 	ClientSecret string `yaml:"client_secret"`
@ -83,18 +60,15 @@ type DefaultConfig struct {
 }
 type Config struct {
-	AuthServerBaseURL  string
+	AuthServerBaseURL string
-	ListenPort         int           `yaml:"listen_port"`
+	MCPServerBaseURL  string `yaml:"mcp_server_base_url"`
-	BaseURL            string        `yaml:"base_url"`
+	ListenPort        int    `yaml:"listen_port"`
-	Port               int           `yaml:"port"`
+	JWKSURL           string
-	JWKSURL            string
+	TimeoutSeconds    int               `yaml:"timeout_seconds"`
-	TimeoutSeconds     int               `yaml:"timeout_seconds"`
+	MCPPaths          []string          `yaml:"mcp_paths"`
-	PathMapping        map[string]string `yaml:"path_mapping"`
+	PathMapping       map[string]string `yaml:"path_mapping"`
-	Mode               string            `yaml:"mode"`
+	Mode              string            `yaml:"mode"`
-	CORSConfig         CORSConfig        `yaml:"cors"`
+	CORSConfig        CORSConfig        `yaml:"cors"`
 	TransportMode      TransportMode     `yaml:"transport_mode"`
 	Paths              PathsConfig       `yaml:"paths"`
 	Stdio              StdioConfig       `yaml:"stdio"`
 	// Nested config for Asgardeo
 	Demo     DemoConfig     `yaml:"demo"`
@ -102,56 +76,6 @@ type Config struct {
 	Default  DefaultConfig  `yaml:"default"`
 }
 // Validate checks if the config is valid based on transport mode
 func (c *Config) Validate() error {
 	// Validate based on transport mode
 	if c.TransportMode == StdioTransport {
 		if !c.Stdio.Enabled {
 			return fmt.Errorf("stdio.enabled must be true in stdio transport mode")
 		}
 		if c.Stdio.UserCommand == "" {
 			return fmt.Errorf("stdio.user_command is required in stdio transport mode")
 		}
 	}
 	// Validate paths
 	if c.Paths.SSE == "" {
 		c.Paths.SSE = "/sse" // Default value
 	}
 	if c.Paths.Messages == "" {
 		c.Paths.Messages = "/messages" // Default value
 	}
 	// Validate base URL
 	if c.BaseURL == "" {
 		if c.Port > 0 {
 			c.BaseURL = fmt.Sprintf("http://localhost:%d", c.Port)
 		} else {
 			c.BaseURL = "http://localhost:8000" // Default value
 		}
 	}
 	return nil
 }
 // GetMCPPaths returns the list of paths that should be proxied to the MCP server
 func (c *Config) GetMCPPaths() []string {
 	return []string{c.Paths.SSE, c.Paths.Messages}
 }
 // BuildExecCommand constructs the full command string for execution in stdio mode
 func (c *Config) BuildExecCommand() string {
 	if c.Stdio.UserCommand == "" {
 		return ""
 	}
 	// Construct the full command
 	return fmt.Sprintf(
 		`npx -y supergateway --stdio "%s" --port %d --baseUrl %s --ssePath %s --messagePath %s`,
 		c.Stdio.UserCommand, c.Port, c.BaseURL, c.Paths.SSE, c.Paths.Messages,
 	)
 }
 // LoadConfig reads a YAML config file into Config struct.
 func LoadConfig(path string) (*Config, error) {
 	f, err := os.Open(path)
@ -165,26 +89,8 @@ func LoadConfig(path string) (*Config, error) {
 	if err := decoder.Decode(&cfg); err != nil {
 		return nil, err
 	}
 	// Set default values
 	if cfg.TimeoutSeconds == 0 {
 		cfg.TimeoutSeconds = 15 // default
 	}
 	// Set default transport mode if not specified
 	if cfg.TransportMode == "" {
 		cfg.TransportMode = SSETransport // Default to SSE
 	}
 	// Set default port if not specified
 	if cfg.Port == 0 {
 		cfg.Port = 8000 // default
 	}
 	// Validate the configuration
 	if err := cfg.Validate(); err != nil {
 		return nil, err
 	}
 	return &cfg, nil
 }
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@ -1,196 +0,0 @@
 package config
 import (
 	"os"
 	"path/filepath"
 	"testing"
 )
 func TestLoadConfig(t *testing.T) {
 	// Create a temporary config file
 	tempDir := t.TempDir()
 	configPath := filepath.Join(tempDir, "test_config.yaml")
 	// Basic valid config
 	validConfig := `
 listen_port: 8080
 base_url: "http://localhost:8000"
 transport_mode: "sse"
 paths:
  sse: "/sse"
  messages: "/messages"
 cors:
  allowed_origins:
    - "http://localhost:5173"
  allowed_methods:
    - "GET"
    - "POST"
  allowed_headers:
    - "Authorization"
    - "Content-Type"
  allow_credentials: true
 `
 	err := os.WriteFile(configPath, []byte(validConfig), 0644)
 	if err != nil {
 		t.Fatalf("Failed to create test config file: %v", err)
 	}
 	// Test loading the valid config
 	cfg, err := LoadConfig(configPath)
 	if err != nil {
 		t.Fatalf("Failed to load valid config: %v", err)
 	}
 	// Verify expected values from the config
 	if cfg.ListenPort != 8080 {
 		t.Errorf("Expected ListenPort=8080, got %d", cfg.ListenPort)
 	}
 	if cfg.BaseURL != "http://localhost:8000" {
 		t.Errorf("Expected BaseURL=http://localhost:8000, got %s", cfg.BaseURL)
 	}
 	if cfg.TransportMode != SSETransport {
 		t.Errorf("Expected TransportMode=sse, got %s", cfg.TransportMode)
 	}
 	if cfg.Paths.SSE != "/sse" {
 		t.Errorf("Expected Paths.SSE=/sse, got %s", cfg.Paths.SSE)
 	}
 	if cfg.Paths.Messages != "/messages" {
 		t.Errorf("Expected Paths.Messages=/messages, got %s", cfg.Paths.Messages)
 	}
 	// Test default values
 	if cfg.TimeoutSeconds != 15 {
 		t.Errorf("Expected default TimeoutSeconds=15, got %d", cfg.TimeoutSeconds)
 	}
 	if cfg.Port != 8000 {
 		t.Errorf("Expected default Port=8000, got %d", cfg.Port)
 	}
 }
 func TestValidate(t *testing.T) {
 	tests := []struct {
 		name        string
 		config      Config
 		expectError bool
 	}{
 		{
 			name: "Valid SSE config",
 			config: Config{
 				TransportMode: SSETransport,
 				Paths: PathsConfig{
 					SSE:      "/sse",
 					Messages: "/messages",
 				},
 				BaseURL: "http://localhost:8000",
 			},
 			expectError: false,
 		},
 		{
 			name: "Valid stdio config",
 			config: Config{
 				TransportMode: StdioTransport,
 				Stdio: StdioConfig{
 					Enabled:     true,
 					UserCommand: "some-command",
 				},
 			},
 			expectError: false,
 		},
 		{
 			name: "Invalid stdio config - not enabled",
 			config: Config{
 				TransportMode: StdioTransport,
 				Stdio: StdioConfig{
 					Enabled:     false,
 					UserCommand: "some-command",
 				},
 			},
 			expectError: true,
 		},
 		{
 			name: "Invalid stdio config - no command",
 			config: Config{
 				TransportMode: StdioTransport,
 				Stdio: StdioConfig{
 					Enabled:     true,
 					UserCommand: "",
 				},
 			},
 			expectError: true,
 		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			err := tc.config.Validate()
 			if tc.expectError && err == nil {
 				t.Errorf("Expected validation error but got none")
 			}
 			if !tc.expectError && err != nil {
 				t.Errorf("Expected no validation error but got: %v", err)
 			}
 		})
 	}
 }
 func TestGetMCPPaths(t *testing.T) {
 	cfg := Config{
 		Paths: PathsConfig{
 			SSE:      "/custom-sse",
 			Messages: "/custom-messages",
 		},
 	}
 	paths := cfg.GetMCPPaths()
 	if len(paths) != 2 {
 		t.Errorf("Expected 2 MCP paths, got %d", len(paths))
 	}
 	if paths[0] != "/custom-sse" {
 		t.Errorf("Expected first path=/custom-sse, got %s", paths[0])
 	}
 	if paths[1] != "/custom-messages" {
 		t.Errorf("Expected second path=/custom-messages, got %s", paths[1])
 	}
 }
 func TestBuildExecCommand(t *testing.T) {
 	tests := []struct {
 		name           string
 		config         Config
 		expectedResult string
 	}{
 		{
 			name: "Valid command",
 			config: Config{
 				Stdio: StdioConfig{
 					UserCommand: "test-command",
 				},
 				Port:    8080,
 				BaseURL: "http://example.com",
 				Paths: PathsConfig{
 					SSE:      "/sse-path",
 					Messages: "/msgs",
 				},
 			},
 			expectedResult: `npx -y supergateway --stdio "test-command" --port 8080 --baseUrl http://example.com --ssePath /sse-path --messagePath /msgs`,
 		},
 		{
 			name: "Empty command",
 			config: Config{
 				Stdio: StdioConfig{
 					UserCommand: "",
 				},
 			},
 			expectedResult: "",
 		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			result := tc.config.BuildExecCommand()
 			if result != tc.expectedResult {
 				t.Errorf("Expected command=%s, got %s", tc.expectedResult, result)
 			}
 		})
 	}
 }
--- a/internal/logging/logger.go
+++ b/internal/logging/logger.go
@ -1,34 +0,0 @@
 package logger
 import (
 	"log"
 )
 var isDebug = false
 // SetDebug enables or disables debug logging
 func SetDebug(debug bool) {
 	isDebug = debug
 }
 // Debug logs a debug-level message
 func Debug(format string, v ...interface{}) {
 	if isDebug {
 		log.Printf("DEBUG: "+format, v...)
 	}
 }
 // Info logs an info-level message
 func Info(format string, v ...interface{}) {
 	log.Printf("INFO: "+format, v...)
 }
 // Warn logs a warning-level message
 func Warn(format string, v ...interface{}) {
 	log.Printf("WARN: "+format, v...)
 }
 // Error logs an error-level message
 func Error(format string, v ...interface{}) {
 	log.Printf("ERROR: "+format, v...)
 }
--- a/internal/proxy/modifier.go
+++ b/internal/proxy/modifier.go
@ -9,7 +9,6 @@ import (
 	"strings"
 	"github.com/wso2/open-mcp-auth-proxy/internal/config"
 	"github.com/wso2/open-mcp-auth-proxy/internal/logging"
 )
 // RequestModifier modifies requests before they are proxied
@ -149,7 +148,6 @@ func (m *RegisterModifier) ModifyRequest(req *http.Request) (*http.Request, erro
 	if strings.Contains(contentType, "application/x-www-form-urlencoded") {
 		// Parse form data
 		if err := req.ParseForm(); err != nil {
 			logger.Error("Failed to parse form data: %v", err)
 			return nil, err
 		}
@ -171,14 +169,12 @@ func (m *RegisterModifier) ModifyRequest(req *http.Request) (*http.Request, erro
 		// Read body
 		bodyBytes, err := io.ReadAll(req.Body)
 		if err != nil {
 			logger.Error("Failed to read request body: %v", err)
 			return nil, err
 		}
 		// Parse JSON
 		var jsonData map[string]interface{}
 		if err := json.Unmarshal(bodyBytes, &jsonData); err != nil {
 			logger.Error("Failed to parse JSON body: %v", err)
 			return nil, err
 		}
@ -190,7 +186,6 @@ func (m *RegisterModifier) ModifyRequest(req *http.Request) (*http.Request, erro
 		// Marshal back to JSON
 		modifiedBody, err := json.Marshal(jsonData)
 		if err != nil {
 			logger.Error("Failed to marshal modified JSON: %v", err)
 			return nil, err
 		}
--- a/internal/proxy/modifier_test.go
+++ b/internal/proxy/modifier_test.go
@ -1,147 +0,0 @@
 package proxy
 import (
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
 	"github.com/wso2/open-mcp-auth-proxy/internal/config"
 )
 func TestAuthorizationModifier(t *testing.T) {
 	cfg := &config.Config{
 		Default: config.DefaultConfig{
 			Path: map[string]config.PathConfig{
 				"/authorize": {
 					AddQueryParams: []config.ParamConfig{
 						{Name: "client_id", Value: "test-client-id"},
 						{Name: "scope", Value: "openid"},
 					},
 				},
 			},
 		},
 	}
 	modifier := &AuthorizationModifier{Config: cfg}
 	// Create a test request
 	req, err := http.NewRequest("GET", "/authorize?response_type=code", nil)
 	if err != nil {
 		t.Fatalf("Failed to create request: %v", err)
 	}
 	// Modify the request
 	modifiedReq, err := modifier.ModifyRequest(req)
 	if err != nil {
 		t.Fatalf("ModifyRequest failed: %v", err)
 	}
 	// Check that the query parameters were added
 	query := modifiedReq.URL.Query()
 	if query.Get("client_id") != "test-client-id" {
 		t.Errorf("Expected client_id=test-client-id, got %s", query.Get("client_id"))
 	}
 	if query.Get("scope") != "openid" {
 		t.Errorf("Expected scope=openid, got %s", query.Get("scope"))
 	}
 	if query.Get("response_type") != "code" {
 		t.Errorf("Expected response_type=code, got %s", query.Get("response_type"))
 	}
 }
 func TestTokenModifier(t *testing.T) {
 	cfg := &config.Config{
 		Default: config.DefaultConfig{
 			Path: map[string]config.PathConfig{
 				"/token": {
 					AddBodyParams: []config.ParamConfig{
 						{Name: "audience", Value: "test-audience"},
 					},
 				},
 			},
 		},
 	}
 	modifier := &TokenModifier{Config: cfg}
 	// Create a test request with form data
 	form := url.Values{}
 	req, err := http.NewRequest("POST", "/token", strings.NewReader(form.Encode()))
 	if err != nil {
 		t.Fatalf("Failed to create request: %v", err)
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	// Modify the request
 	modifiedReq, err := modifier.ModifyRequest(req)
 	if err != nil {
 		t.Fatalf("ModifyRequest failed: %v", err)
 	}
 	body := make([]byte, 1024)
 	n, err := modifiedReq.Body.Read(body)
 	if err != nil && err.Error() != "EOF" {
 		t.Fatalf("Failed to read body: %v", err)
 	}
 	bodyStr := string(body[:n])
 	// Parse the form data from the modified request
 	if err := modifiedReq.ParseForm(); err != nil {
 		t.Fatalf("Failed to parse form data: %v", err)
 	}
 	// Check that the body parameters were added
 	if !strings.Contains(bodyStr, "audience") {
 		t.Errorf("Expected body to contain audience, got %s", bodyStr)
 	}
 }
 func TestRegisterModifier(t *testing.T) {
 	cfg := &config.Config{
 		Default: config.DefaultConfig{
 			Path: map[string]config.PathConfig{
 				"/register": {
 					AddBodyParams: []config.ParamConfig{
 						{Name: "client_name", Value: "test-client"},
 					},
 				},
 			},
 		},
 	}
 	modifier := &RegisterModifier{Config: cfg}
 	// Create a test request with JSON data
 	jsonBody := `{"redirect_uris":["https://example.com/callback"]}`
 	req, err := http.NewRequest("POST", "/register", strings.NewReader(jsonBody))
 	if err != nil {
 		t.Fatalf("Failed to create request: %v", err)
 	}
 	req.Header.Set("Content-Type", "application/json")
 	// Modify the request
 	modifiedReq, err := modifier.ModifyRequest(req)
 	if err != nil {
 		t.Fatalf("ModifyRequest failed: %v", err)
 	}
 	// Read the body and check that it still contains the original data
 	// This test would need to be enhanced with a proper JSON parsing to verify
 	// the added parameters
 	body := make([]byte, 1024)
 	n, err := modifiedReq.Body.Read(body)
 	if err != nil && err.Error() != "EOF" {
 		t.Fatalf("Failed to read body: %v", err)
 	}
 	bodyStr := string(body[:n])
 	// Simple check to see if the modified body contains the expected fields
 	if !strings.Contains(bodyStr, "client_name") {
 		t.Errorf("Expected body to contain client_name, got %s", bodyStr)
 	}
 	if !strings.Contains(bodyStr, "redirect_uris") {
 		t.Errorf("Expected body to contain redirect_uris, got %s", bodyStr)
 	}
 }
--- a/internal/proxy/proxy.go
+++ b/internal/proxy/proxy.go
@ -2,6 +2,7 @@ package proxy
 import (
 	"context"
 	"log"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
@ -10,7 +11,6 @@ import (
 	"github.com/wso2/open-mcp-auth-proxy/internal/authz"
 	"github.com/wso2/open-mcp-auth-proxy/internal/config"
 	"github.com/wso2/open-mcp-auth-proxy/internal/logging"
 	"github.com/wso2/open-mcp-auth-proxy/internal/util"
 )
@ -82,8 +82,7 @@ func NewRouter(cfg *config.Config, provider authz.Provider) http.Handler {
 	}
 	// MCP paths
-	mcpPaths := cfg.GetMCPPaths()
+	for _, path := range cfg.MCPPaths {
 	for _, path := range mcpPaths {
 		mux.HandleFunc(path, buildProxyHandler(cfg, modifiers))
 		registeredPaths[path] = true
 	}
@ -101,21 +100,23 @@ func NewRouter(cfg *config.Config, provider authz.Provider) http.Handler {
 func buildProxyHandler(cfg *config.Config, modifiers map[string]RequestModifier) http.HandlerFunc {
 	// Parse the base URLs up front
 	authBase, err := url.Parse(cfg.AuthServerBaseURL)
 	if err != nil {
-		logger.Error("Invalid auth server URL: %v", err)
+		log.Fatalf("Invalid auth server URL: %v", err)
 		panic(err) // Fatal error that prevents startup
 	}
-	
+	mcpBase, err := url.Parse(cfg.MCPServerBaseURL)
 	mcpBase, err := url.Parse(cfg.BaseURL)
 	if err != nil {
-		logger.Error("Invalid MCP server URL: %v", err)
+		log.Fatalf("Invalid MCP server URL: %v", err)
 		panic(err) // Fatal error that prevents startup
 	}
 	// Detect SSE paths from config
 	ssePaths := make(map[string]bool)
-	ssePaths[cfg.Paths.SSE] = true
+	for _, p := range cfg.MCPPaths {
 		if p == "/sse" {
 			ssePaths[p] = true
 		}
 	}
 	return func(w http.ResponseWriter, r *http.Request) {
 		origin := r.Header.Get("Origin")
@ -123,7 +124,7 @@ func buildProxyHandler(cfg *config.Config, modifiers map[string]RequestModifier)
 		// Handle OPTIONS
 		if r.Method == http.MethodOptions {
 			if allowedOrigin == "" {
-				logger.Warn("Preflight request from disallowed origin: %s", origin)
+				log.Printf("[proxy] Preflight request from disallowed origin: %s", origin)
 				http.Error(w, "CORS origin not allowed", http.StatusForbidden)
 				return
 			}
@ -133,7 +134,7 @@ func buildProxyHandler(cfg *config.Config, modifiers map[string]RequestModifier)
 		}
 		if allowedOrigin == "" {
-			logger.Warn("Request from disallowed origin: %s for %s", origin, r.URL.Path)
+			log.Printf("[proxy] Request from disallowed origin: %s for %s", origin, r.URL.Path)
 			http.Error(w, "CORS origin not allowed", http.StatusForbidden)
 			return
 		}
@ -151,7 +152,7 @@ func buildProxyHandler(cfg *config.Config, modifiers map[string]RequestModifier)
 			// Validate JWT for MCP paths if required
 			// Placeholder for JWT validation logic
 			if err := util.ValidateJWT(r.Header.Get("Authorization")); err != nil {
-				logger.Warn("Unauthorized request to %s: %v", r.URL.Path, err)
+				log.Printf("[proxy] Unauthorized request to %s: %v", r.URL.Path, err)
 				http.Error(w, "Unauthorized", http.StatusUnauthorized)
 				return
 			}
@ -169,7 +170,7 @@ func buildProxyHandler(cfg *config.Config, modifiers map[string]RequestModifier)
 			var err error
 			r, err = modifier.ModifyRequest(r)
 			if err != nil {
-				logger.Error("Error modifying request: %v", err)
+				log.Printf("[proxy] Error modifying request: %v", err)
 				http.Error(w, "Bad Request", http.StatusBadRequest)
 				return
 			}
@ -191,13 +192,7 @@ func buildProxyHandler(cfg *config.Config, modifiers map[string]RequestModifier)
 				req.Host = targetURL.Host
 				cleanHeaders := http.Header{}
-				
+
 				// Set proper origin header to match the target
 				if isSSE {
 					// For SSE, ensure origin matches the target
 					req.Header.Set("Origin", targetURL.Scheme+"://"+targetURL.Host)
 				}
 				for k, v := range r.Header {
 					// Skip hop-by-hop headers
 					if skipHeader(k) {
@ -210,33 +205,21 @@ func buildProxyHandler(cfg *config.Config, modifiers map[string]RequestModifier)
 				req.Header = cleanHeaders
-				logger.Debug("%s -> %s%s", r.URL.Path, req.URL.Host, req.URL.Path)
+				log.Printf("[proxy] %s -> %s%s", r.URL.Path, req.URL.Host, req.URL.Path)
 			},
 			ModifyResponse: func(resp *http.Response) error {
-				logger.Debug("Response from %s%s: %d", resp.Request.URL.Host, resp.Request.URL.Path, resp.StatusCode)
+				log.Printf("[proxy] Response from %s%s: %d", resp.Request.URL.Host, resp.Request.URL.Path, resp.StatusCode)
 				resp.Header.Del("Access-Control-Allow-Origin") // Avoid upstream conflicts
 				return nil
 			},
 			ErrorHandler: func(rw http.ResponseWriter, req *http.Request, err error) {
-				logger.Error("Error proxying: %v", err)
+				log.Printf("[proxy] Error proxying: %v", err)
 				http.Error(rw, "Bad Gateway", http.StatusBadGateway)
 			},
 			FlushInterval: -1, // immediate flush for SSE
 		}
 		if isSSE {
 			// Add special response handling for SSE connections to rewrite endpoint URLs
 			rp.Transport = &sseTransport{
 				Transport:  http.DefaultTransport,
 				proxyHost:  r.Host,
 				targetHost: targetURL.Host,
 			}
 			// Set SSE-specific headers
 			w.Header().Set("X-Accel-Buffering", "no")
 			w.Header().Set("Cache-Control", "no-cache")
 			w.Header().Set("Connection", "keep-alive")
 			// Keep SSE connections open
 			HandleSSE(w, r, rp)
 		} else {
@ -253,7 +236,6 @@ func getAllowedOrigin(origin string, cfg *config.Config) string {
 		return cfg.CORSConfig.AllowedOrigins[0] // Default to first allowed origin
 	}
 	for _, allowed := range cfg.CORSConfig.AllowedOrigins {
 		logger.Debug("Checking CORS origin: %s against allowed: %s", origin, allowed)
 		if allowed == origin {
 			return allowed
 		}
@ -274,7 +256,6 @@ func addCORSHeaders(w http.ResponseWriter, cfg *config.Config, allowedOrigin, re
 		w.Header().Set("Access-Control-Allow-Credentials", "true")
 	}
 	w.Header().Set("Vary", "Origin")
 	w.Header().Set("X-Accel-Buffering", "no")
 }
 func isAuthPath(path string) bool {
@ -292,8 +273,7 @@ func isAuthPath(path string) bool {
 // isMCPPath checks if the path is an MCP path
 func isMCPPath(path string, cfg *config.Config) bool {
-	mcpPaths := cfg.GetMCPPaths()
+	for _, p := range cfg.MCPPaths {
 	for _, p := range mcpPaths {
 		if strings.HasPrefix(path, p) {
 			return true
 		}
--- a/internal/proxy/sse.go
+++ b/internal/proxy/sse.go
@ -1,16 +1,11 @@
 package proxy
 import (
 	"bufio"
 	"context"
-	"fmt"
+	"log"
 	"io"
 	"net/http"
 	"net/http/httputil"
 	"strings"
 	"time"
 	"github.com/wso2/open-mcp-auth-proxy/internal/logging"
 )
 // HandleSSE sets up a go-routine to wait for context cancellation
@ -21,7 +16,7 @@ func HandleSSE(w http.ResponseWriter, r *http.Request, rp *httputil.ReverseProxy
 	go func() {
 		<-ctx.Done()
-		logger.Info("SSE connection closed from %s (path: %s)", r.RemoteAddr, r.URL.Path)
+		log.Printf("INFO: SSE connection closed from %s (path: %s)", r.RemoteAddr, r.URL.Path)
 		close(done)
 	}()
@ -37,73 +32,3 @@ func HandleSSE(w http.ResponseWriter, r *http.Request, rp *httputil.ReverseProxy
 func NewShutdownContext(timeout time.Duration) (context.Context, context.CancelFunc) {
 	return context.WithTimeout(context.Background(), timeout)
 }
 // sseTransport is a custom http.RoundTripper that intercepts and modifies SSE responses
 type sseTransport struct {
 	Transport  http.RoundTripper
 	proxyHost  string
 	targetHost string
 }
 func (t *sseTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	// Call the underlying transport
 	resp, err := t.Transport.RoundTrip(req)
 	if err != nil {
 		return nil, err
 	}
 	// Check if this is an SSE response
 	contentType := resp.Header.Get("Content-Type")
 	if !strings.Contains(contentType, "text/event-stream") {
 		return resp, nil
 	}
 	logger.Info("Intercepting SSE response to modify endpoint events")
 	// Create a response wrapper that modifies the response body
 	originalBody := resp.Body
 	pr, pw := io.Pipe()
 	go func() {
 		defer originalBody.Close()
 		defer pw.Close()
 		scanner := bufio.NewScanner(originalBody)
 		for scanner.Scan() {
 			line := scanner.Text()
 			// Check if this line contains an endpoint event
 			if strings.HasPrefix(line, "event: endpoint") {
 				// Read the data line
 				if scanner.Scan() {
 					dataLine := scanner.Text()
 					if strings.HasPrefix(dataLine, "data: ") {
 						// Extract the endpoint URL
 						endpoint := strings.TrimPrefix(dataLine, "data: ")
 						// Replace the host in the endpoint
 						logger.Debug("Original endpoint: %s", endpoint)
 						endpoint = strings.Replace(endpoint, t.targetHost, t.proxyHost, 1)
 						logger.Debug("Modified endpoint: %s", endpoint)
 						// Write the modified event lines
 						fmt.Fprintln(pw, line)
 						fmt.Fprintln(pw, "data: "+endpoint)
 						continue
 					}
 				}
 			}
 			// Write the original line for non-endpoint events
 			fmt.Fprintln(pw, line)
 		}
 		if err := scanner.Err(); err != nil {
 			logger.Error("Error reading SSE stream: %v", err)
 		}
 	}()
 	// Replace the response body with our modified pipe
 	resp.Body = pr
 	return resp, nil
 }
--- a/internal/subprocess/manager.go
+++ b/internal/subprocess/manager.go
@ -1,268 +0,0 @@
 package subprocess
 import (
 	"fmt"
 	"os"
 	"os/exec"
 	"sync"
 	"syscall"
 	"time"
 	"strings"
 	"github.com/wso2/open-mcp-auth-proxy/internal/config"
 	"github.com/wso2/open-mcp-auth-proxy/internal/logging"
 )
 // Manager handles starting and graceful shutdown of subprocesses
 type Manager struct {
 	process       *os.Process
 	processGroup  int
 	mutex         sync.Mutex
 	cmd           *exec.Cmd
 	shutdownDelay time.Duration
 }
 // NewManager creates a new subprocess manager
 func NewManager() *Manager {
 	return &Manager{
 		shutdownDelay: 5 * time.Second,
 	}
 }
 // EnsureDependenciesAvailable checks and installs required package executors
 func EnsureDependenciesAvailable(command string) error {
    // Always ensure npx is available regardless of the command
    if _, err := exec.LookPath("npx"); err != nil {
        // npx is not available, check if npm is installed
        if _, err := exec.LookPath("npm"); err != nil {
            return fmt.Errorf("npx not found and npm not available; please install Node.js from https://nodejs.org/")
        }
        // Try to install npx using npm
        logger.Info("npx not found, attempting to install...")
        cmd := exec.Command("npm", "install", "-g", "npx")
        cmd.Stdout = os.Stdout
        cmd.Stderr = os.Stderr
        if err := cmd.Run(); err != nil {
            return fmt.Errorf("failed to install npx: %w", err)
        }
        logger.Info("npx installed successfully")
    }
    // Check if uv is needed based on the command
    if strings.Contains(command, "uv ") {
        if _, err := exec.LookPath("uv"); err != nil {
            return fmt.Errorf("command requires uv but it's not installed; please install it following instructions at https://github.com/astral-sh/uv")
        }
    }
    return nil
 }
 // SetShutdownDelay sets the maximum time to wait for graceful shutdown
 func (m *Manager) SetShutdownDelay(duration time.Duration) {
 	m.shutdownDelay = duration
 }
 // Start launches a subprocess based on the configuration
 func (m *Manager) Start(cfg *config.Config) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	// If a process is already running, return an error
 	if m.process != nil {
 		return os.ErrExist
 	}
 	if !cfg.Stdio.Enabled || cfg.Stdio.UserCommand == "" {
 		return nil // Nothing to start
 	}
 	// Get the full command string
 	execCommand := cfg.BuildExecCommand()
 	if execCommand == "" {
 		return nil // No command to execute
 	}
 	logger.Info("Starting subprocess with command: %s", execCommand)
 	// Use the shell to execute the command
 	cmd := exec.Command("sh", "-c", execCommand)
 	// Set working directory if specified
 	if cfg.Stdio.WorkDir != "" {
 		cmd.Dir = cfg.Stdio.WorkDir
 	}
 	// Set environment variables if specified
 	if len(cfg.Stdio.Env) > 0 {
 		cmd.Env = append(os.Environ(), cfg.Stdio.Env...)
 	}
 	// Capture stdout/stderr
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	// Set the process group for proper termination
 	cmd.SysProcAttr = &syscall.SysProcAttr{Setpgid: true}
 	// Start the process
 	if err := cmd.Start(); err != nil {
 		return err
 	}
 	m.process = cmd.Process
 	m.cmd = cmd
 	logger.Info("Subprocess started with PID: %d", m.process.Pid)
 	// Get and store the process group ID
 	pgid, err := syscall.Getpgid(m.process.Pid)
 	if err == nil {
 		m.processGroup = pgid
 		logger.Debug("Process group ID: %d", m.processGroup)
 	} else {
 		logger.Warn("Failed to get process group ID: %v", err)
 		m.processGroup = m.process.Pid
 	}
 	// Handle process termination in background
 	go func() {
 		if err := cmd.Wait(); err != nil {
 			logger.Error("Subprocess exited with error: %v", err)
 		} else {
 			logger.Info("Subprocess exited successfully")
 		}
 		// Clear the process reference when it exits
 		m.mutex.Lock()
 		m.process = nil
 		m.cmd = nil
 		m.mutex.Unlock()
 	}()
 	return nil
 }
 // IsRunning checks if the subprocess is running
 func (m *Manager) IsRunning() bool {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.process != nil
 }
 // Shutdown gracefully terminates the subprocess
 func (m *Manager) Shutdown() {
 	m.mutex.Lock()
 	processToTerminate := m.process           // Local copy of the process reference
 	processGroupToTerminate := m.processGroup
 	m.mutex.Unlock()
 	if processToTerminate == nil {
 		return // No process to terminate
 	}
 	logger.Info("Terminating subprocess...")
 	terminateComplete := make(chan struct{})
 	go func() {
 		defer close(terminateComplete)
 		// Try graceful termination first with SIGTERM
 		terminatedGracefully := false
 		// Try to terminate the process group first
 		if processGroupToTerminate != 0 {
 			err := syscall.Kill(-processGroupToTerminate, syscall.SIGTERM)
 			if err != nil {
 				logger.Warn("Failed to send SIGTERM to process group: %v", err)
 				// Fallback to terminating just the process
 				m.mutex.Lock()
 				if m.process != nil {
 					err = m.process.Signal(syscall.SIGTERM)
 					if err != nil {
 						logger.Warn("Failed to send SIGTERM to process: %v", err)
 					}
 				}
 				m.mutex.Unlock()
 			}
 		} else {
 			// Try to terminate just the process
 			m.mutex.Lock()
 			if m.process != nil {
 				err := m.process.Signal(syscall.SIGTERM)
 				if err != nil {
 					logger.Warn("Failed to send SIGTERM to process: %v", err)
 				}
 			}
 			m.mutex.Unlock()
 		}
 		// Wait for the process to exit gracefully
 		for i := 0; i < 10; i++ {
 			time.Sleep(200 * time.Millisecond)
 			m.mutex.Lock()
 			if m.process == nil {
 				terminatedGracefully = true
 				m.mutex.Unlock()
 				break
 			}
 			m.mutex.Unlock()
 		}
 		if terminatedGracefully {
 			logger.Info("Subprocess terminated gracefully")
 			return
 		}
 		// If the process didn't exit gracefully, force kill
 		logger.Warn("Subprocess didn't exit gracefully, forcing termination...")
 		// Try to kill the process group first
 		if processGroupToTerminate != 0 {
 			if err := syscall.Kill(-processGroupToTerminate, syscall.SIGKILL); err != nil {
 				logger.Warn("Failed to send SIGKILL to process group: %v", err)
 				// Fallback to killing just the process
 				m.mutex.Lock()
 				if m.process != nil {
 					if err := m.process.Kill(); err != nil {
 						logger.Error("Failed to kill process: %v", err)
 					}
 				}
 				m.mutex.Unlock()
 			}
 		} else {
 			// Try to kill just the process
 			m.mutex.Lock()
 			if m.process != nil {
 				if err := m.process.Kill(); err != nil {
 					logger.Error("Failed to kill process: %v", err)
 				}
 			}
 			m.mutex.Unlock()
 		}
 		// Wait a bit more to confirm termination
 		time.Sleep(500 * time.Millisecond)
 		m.mutex.Lock()
 		if m.process == nil {
 			logger.Info("Subprocess terminated by force")
 		} else {
 			logger.Warn("Failed to terminate subprocess")
 		}
 		m.mutex.Unlock()
 	}()
 	// Wait for termination with timeout
 	select {
 	case <-terminateComplete:
 		// Termination completed
 	case <-time.After(m.shutdownDelay):
 		logger.Warn("Subprocess termination timed out")
 	}
 }
--- a/internal/util/jwks.go
+++ b/internal/util/jwks.go
@ -4,12 +4,12 @@ import (
 	"crypto/rsa"
 	"encoding/json"
 	"errors"
 	"log"
 	"math/big"
 	"net/http"
 	"strings"
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/wso2/open-mcp-auth-proxy/internal/logging"
 )
 type JWKS struct {
@ -50,7 +50,7 @@ func FetchJWKS(jwksURL string) error {
 			publicKeys[parsedKey.Kid] = pubKey
 		}
 	}
-	logger.Info("Loaded %d public keys.", len(publicKeys))
+	log.Printf("[JWKS] Loaded %d public keys.", len(publicKeys))
 	return nil
 }
--- a/internal/util/jwks_test.go
+++ b/internal/util/jwks_test.go
@ -1,143 +0,0 @@
 package util
 import (
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/base64"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 	"github.com/golang-jwt/jwt/v4"
 )
 func TestValidateJWT(t *testing.T) {
 	// Initialize the test JWKS data
 	initTestJWKS(t)
 	// Test cases
 	tests := []struct {
 		name        string
 		authHeader  string
 		expectError bool
 	}{
 		{
 			name:        "Valid JWT token",
 			authHeader:  "Bearer " + createValidJWT(t),
 			expectError: false,
 		},
 		{
 			name:        "No auth header",
 			authHeader:  "",
 			expectError: true,
 		},
 		{
 			name:        "Invalid auth header format",
 			authHeader:  "InvalidFormat",
 			expectError: true,
 		},
 		{
 			name:        "Invalid JWT token",
 			authHeader:  "Bearer invalid.jwt.token",
 			expectError: true,
 		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			err := ValidateJWT(tc.authHeader)
 			if tc.expectError && err == nil {
 				t.Errorf("Expected error but got none")
 			}
 			if !tc.expectError && err != nil {
 				t.Errorf("Expected no error but got: %v", err)
 			}
 		})
 	}
 }
 func TestFetchJWKS(t *testing.T) {
 	// Create a mock JWKS server
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Generate a test RSA key
 		privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 		if err != nil {
 			t.Fatalf("Failed to generate RSA key: %v", err)
 		}
 		// Create JWKS response
 		jwks := map[string]interface{}{
 			"keys": []map[string]interface{}{
 				{
 					"kty": "RSA",
 					"kid": "test-key-id",
 					"n":   base64.RawURLEncoding.EncodeToString(privateKey.N.Bytes()),
 					"e":   base64.RawURLEncoding.EncodeToString([]byte{1, 0, 1}), // Default exponent 65537
 				},
 			},
 		}
 		w.Header().Set("Content-Type", "application/json")
 		json.NewEncoder(w).Encode(jwks)
 	}))
 	defer server.Close()
 	// Test fetching JWKS
 	err := FetchJWKS(server.URL)
 	if err != nil {
 		t.Fatalf("FetchJWKS failed: %v", err)
 	}
 	// Check that keys were stored
 	if len(publicKeys) == 0 {
 		t.Errorf("Expected publicKeys to be populated")
 	}
 }
 // Helper function to initialize test JWKS data
 func initTestJWKS(t *testing.T) {
 	// Create a test RSA key pair
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatalf("Failed to generate RSA key: %v", err)
 	}
 	// Initialize the publicKeys map
 	publicKeys = map[string]*rsa.PublicKey{
 		"test-key-id": &privateKey.PublicKey,
 	}
 }
 // Helper function to create a valid JWT token for testing
 func createValidJWT(t *testing.T) string {
 	// Create a test RSA key pair
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatalf("Failed to generate RSA key: %v", err)
 	}
 	// Ensure the test key is in the publicKeys map
 	if publicKeys == nil {
 		publicKeys = map[string]*rsa.PublicKey{}
 	}
 	publicKeys["test-key-id"] = &privateKey.PublicKey
 	// Create token
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
 		"sub":  "1234567890",
 		"name": "Test User",
 		"iat":  time.Now().Unix(),
 		"exp":  time.Now().Add(time.Hour).Unix(),
 	})
 	token.Header["kid"] = "test-key-id"
 	// Sign the token
 	tokenString, err := token.SignedString(privateKey)
 	if err != nil {
 		t.Fatalf("Failed to sign token: %v", err)
 	}
 	return tokenString
 }
--- a/pull_request_template.md
+++ b/pull_request_template.md
@ -1,11 +1,52 @@
 ## Purpose
-<!-- Describe the problems, issues, or needs driving this feature/fix and include links to related issues in the following format: Resolves issue1, issue2, etc. -->
+> Describe the problems, issues, or needs driving this feature/fix and include links to related issues in the following format: Resolves issue1, issue2, etc.
-## Related Issues
+## Goals
-<!-- List any related issues --> 
+> Describe the solutions that this feature/fix will introduce to resolve the problems described above
 ## Approach
 > Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email documentation@wso2.com to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.
 ## User stories
 > Summary of user stories addressed by this change>
 ## Release note
 > Brief description of the new feature or bug fix as it will appear in the release notes
 ## Documentation
 > Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact
 ## Training
 > Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable
 ## Certification
 > Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why.
 ## Marketing
 > Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable
 ## Automation tests
 - Unit tests 
   > Code coverage information
 - Integration tests
   > Details about the test cases and coverage
 ## Security checks
 - Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
 - Ran FindSecurityBugs plugin and verified report? yes/no
 - Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no
 ## Samples
 > Provide high-level details about the samples related to this feature
 ## Related PRs
-<!-- List any other related PRs -->
+> List any other related PRs
 ## Migrations (if applicable)
-<!-- Describe migration steps and platforms on which migration has been tested --> 
+> Describe migration steps and platforms on which migration has been tested
 ## Test environment
 > List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested
 ## Learning
 > Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.
--- a/resources/requirements.txt
+++ b/resources/requirements.txt
@ -1 +0,0 @@
 fastmcp==0.4.1