Use the up command to generate and optionally start a profile container along with its supporting artifacts.

Syntax

./mcpgen up [options]

Options for the up Command

The following table lists the available options for the up command, describing their purpose and any important usage notes:
Option Purpose Notes
--quick Non-interactive defaults This flag skips all prompts and automatically selects a derived profile name if one is not provided.
--interactive Guided parameter entry When this flag is used, the CLI launches an interactive wizard for configuration. It cannot be combined with --quick.
--instance NAME Specifies an explicit profile or container name. The name must be unique because it is used as both the directory name and the container identifier.
--port PORT Sets the host port mapping for the container. For example, you can specify 8500. If omitted, the port is auto-assigned by the system.
--spec PATH Provides the path to the OpenAPI specification file. If this flag is not specified, the CLI defaults to OpenAPI specification file if that file is present in the working directory.
--prompts DIR Specifies the path to the prompts directory containing Markdown files. If this is omitted, the server uses the default prompts directory, which is the ./prompts directory in the current working directory.

Use --no-prompt to disable prompt loading entirely.
--tls Enables server-side TLS for secure communication. When this flag is used, development certificates are generated automatically if they do not already exist.
--mtls Enables mutual TLS (mTLS) for enhanced security. This flag implies --tls and additionally generates a client CA and client certificate for mutual authentication.
--extra-hostnames HOST1,HOST2,... Adds additional hostnames to TLS certificates. These hostnames are included as Subject Alternative Names (SAN) in the generated certificates. This works with both --tls and --mtls.
--no-sa Skips the creation of service account keys and tokens. When this flag is used, tool scopes are limited to user authentication only.
--no-prompt Prevents loading of prompt markdown files. Prompt tools remain registered but return empty selections when invoked.
--no-smoke Skips the post-start smoke test. This is useful when troubleshooting startup issues or iterating on failing configurations.
--images IMAGE[,UTILS] Overrides the default server image and optionally the utilities image. This feature is experimental and may be replaced by environment variables in future versions.

Behavior summary

The up command performs the following internal operations when creating a new profile:

  • Creates a directory under generated/<profile_name>/ with the server, client, certificates, and service account subfolders.
  • Writes the mcp_server_config.json configuration file with all specified settings.
  • Optionally performs a smoke test (tool listing) unless the --no-smoke flag is used.

  • Automatically determines authentication header precedence in the following order: service account prefix → user token prefix → Bearer.

Interactive mode features

When you use the --interactive flag, the CLI launches a guided wizard to help configure authentication and other settings.

The wizard prompts: 
Enable user_auth pass-through? (y/N)
Where,
  • y (yes)
    • Configures token-based authentication (Bearer, OAuth, JWT, etc.)
    • Sets header name (default: Authorization)
    • Sets token prefix (default: Bearer)
    • Optionally provides a test token
    • Configures token exchange if needed (URL, body field, response path)
  • N (default) (No)
    • Does not configure user authentication
    • Useful for public APIs or when authentication is external

Manual authentication setup

Manual authentication setup allows you to define custom headers or credentials for downstream API calls. This is typically used for:
  • Basic authentication
  • API keys
  • Custom header-based authentication
Use these steps to configure authentication manually after profile generation when the interactive wizard is not sufficient or when custom methods are required.
  1. Generate Base64-encoded credentials for basic authentication:
    
# For credentials restuser/password
echo -n "restuser:password" | base64
  2. You can configure authentication in one of two ways:
    1. Option A: Edit the file generated/<profile_name>/server/mcp_server_config.json and add the header directly:
      
{
  "runtime": {
    "http": {
      "default_headers": {
        "Authorization": "Basic <Base64-encoded credentials>"
      }
    }
  }
}
      Note: Hardcoding credentials is not recommended for production environments.
    2. Option B: Use environment variables to store sensitive information securely by following these steps:
      1. Edit generated/<profile_name>/server/mcp_server_config.json to reference the variable:
        
{
  "runtime": {
    "http": {
      "default_headers": {
        "Authorization": "${DOWNSTREAM_AUTH_HEADER}"
      }
    }
  }
}
      2. Add the environment variable to generated/<profile_name>/server/server.env:
        
# Add to server/server.env
DOWNSTREAM_AUTH_HEADER=Basic <Base64-encoded credentials>
      3. Ensure the environment file is loaded automatically by Docker when starting the container:
        • ./mcpgen start <container_name>
        • generated/<profile_name>/start_server.sh
        • docker-compose.mcp.yml
        Note: Both $VAR and ${VAR} syntax are supported for environment variable expansion.

For more information about the additional configurations options and the generated profile structure, see Step 5: Generate and start a profile.