⚡ Upcoming: Build, Extend, and Shape Agentic Interfaces on Your Terms Don't miss out
Blog

Open Source: FrontMCP is a Secure MCP Platform for Modern JavaScript Developers

November 05, 2025 |
Avatar photo Aviad Mizrachi
| 4  min read |

“Every open-source MCP tool out there is Python-based. If we really cared about developers, we would do better for the JavaScript community.”

That was our JavaScript architect, David, and what he said stuck in my head. He was right. So as we built Frontegg AgentLink, I decided to open its core to the world. Today, I’m excited to share that the open-core version of AgentLink is now live on GitHub as FrontMCP.

A peek under the hood

Underneath the hood, FrontMCP uses:

  • TypeScript-first development: for strong typing and predictable behavior.
  • EventEmitters and Streams: to manage async communication between MCP modules.
  • JSON-RPC 2.0 protocol: for standardized, interoperable messaging between clients and servers.
  • Pluggable Middleware: for authentication, authorization, and rate-limiting.
  • Dynamic Discovery: enabling runtime detection of new agents and auto-registration.

This makes it not only developer-friendly but also production-ready. You can scale horizontally, integrate monitoring hooks, and still maintain the flexibility that JavaScript developers expect.

Supporting the developer community matters

Great products come from great communities. Devs are the ones who debug late at night, experiment with new frameworks, and push the limits of what’s possible. Transferring that knowledge among peers is where so much of the magic happens. But JavaScript developers didn’t have a solid, modern, open-source option for building or running MCP servers. Most implementations lived in the Python world.

FrontMCP changes that. It’s written entirely in TypeScript and built with modern Node.js design patterns such as async/await, modular dependency injection, and event-driven APIs. It’s designed to feel native to how JavaScript developers build systems today, whether you’re working with ESM modules, TypeScript decorators, or serverless runtimes.

With FrontMCP, you can:

  • Build and run MCP servers with native async execution.
  • Extend endpoints and transports using plugin hooks.
  • Integrate directly into existing Node.js microservices or cloud environments.
  • Debug and trace every call using built-in structured logging.

Now there’s an MCP platform for JavaScript developers that feels natural – one where you can inspect the internals, extend the logic, and easily contribute back.

Security Is mandatory

There’s a lesson we’ll all learn the easy way or the hard way: Security in MCP servers isn’t something you can bolt on later. It has to be designed into the architecture. FrontMCP has you covered.

Here are some of the key security principles baked into FrontMCP:

  • Isolated Execution Contexts: Every MCP session runs in its own sandboxed runtime using Node’s worker threads or VM contexts, preventing cross-agent contamination.
  • Strict Input Validation: All inbound requests are validated using schema-based validation with Zod and TypeScript type inference, reducing injection and deserialization risks.
  • Granular Permissions: Each connector or plugin registers its own scope definition, giving administrators fine-grained control over what each module can access.
  • Secure Transport Layer: Supports HTTPS and signed WebSocket transports, ensuring message integrity and confidentiality.
  • Observability & Auditing: Every interaction is traceable, with structured logs that integrate easily into tools like Datadog and OpenTelemetry.

Security is about defining clear trust boundaries and minimizing implicit trust across every component. It’s not enough to bet on adding layers later. You shouldn’t have to close one eye and hope things hold together.

Flexibility is freedom

Every team builds differently, and that’s okay. Some teams need to deploy lightweight MCP services that run as part of a monolith, while others integrate them into large distributed systems. FrontMCP was built to be modular, composable, and transparent.

The architecture is based around three key primitives:

  • Adapters: for customizing transport layers (HTTP, WebSocket, or custom protocols).
  • Providers: for extending or injecting new MCP capabilities.
  • Runtime Controllers: for orchestrating agents and managing lifecycles.

You can import FrontMCP as a library and embed it inside your existing Node service, or you can run it standalone as a CLI-managed daemon. It supports both CommonJS and ESM environments, and because it’s open-core, you can dive into the internals, tweak the behavior, and contribute directly.

We’ve also made sure it’s flexible enough for different infrastructure setups – you can deploy it inside Docker, run it in edge functions, or integrate it with orchestration frameworks like Kubernetes. The modular design means you only use what you need, keeping your footprint small and predictable.

This is just the beginning

FrontMCP is a big step for the JavaScript community to build safer, more flexible MCP servers. More features are on the way, like:

  • WebSocket adapters for real-time message handling.
  • Built-in token-based authentication and role-based access.
  • Improved developer tooling and diagnostics.
  • Deep integration with the AgentLink orchestration layer.

We’re incredibly excited to see what developers do with it.

Check it out here: https://github.com/agentfront/frontmcp – and if you’re building with Node.js or TypeScript, we’d love your feedback, issues, and pull requests. Let’s build a safer, faster, and more open MCP ecosystem together.

And for more of my thoughts on AI agents and access control, take a look at this video interview I did during this year’s RSA conference.

Learn more about AgentLink:

The Complete Guide to SaaS Multi-Tenant Architecture

Read the guide
Avatar photo Aviad Mizrachi

Related blog posts