Back to blog
Tutorialquickstartunauthenticated

From zero to MCP server: no auth required

The fastest path to a working MCP server. Start with an unauthenticated API and have a live endpoint in under two minutes.

June 1, 2026Β·4 min read

What you'll build

A live MCP server wrapping an unauthenticated REST API. Any MCP client β€” Claude Desktop, Cursor, or a custom agent β€” calls your API through it. No credentials, no tokens, just a URL.

πŸ§ͺ

This tutorial uses Cast's open-source test-server in unauthenticated mode. You can follow along locally in under two minutes.

1. Start the test server

terminal
cd cast-mcp/test-server
npm install
npx ts-node src/index.ts --mode unauthenticated --port 3456

You'll see a startup banner. Open http://localhost:3456/swagger to browse the live API β€” items, users, echo, health, all open with no auth.

2. Create a workspace

Log into Cast, click New workspace, and name it something like test-unauthenticated. You'll land on the Upload tab.

Workspace navigationactual UI
overview
upload
configure
connect
analytics
logs

3. Upload the OpenAPI spec

Download the spec and upload it on the Upload tab:

terminal
curl http://localhost:3456/openapi.json -o spec.json

Cast parses the spec and generates tool definitions for every operation. Processing takes under 10 seconds, then the Configure tab becomes active.

4. Configure auth

Switch to the Configure tab. Since this server has no auth, set the base URL and select Bearer Token β€” leave the token field empty. Cast will send requests with no Authorization header and the server won't check for one.

Workspace navigationactual UI
overview
upload
configure
connect
analytics
logs
Configure β†’ Authactual UI

API Base URL

http://localhost:3456
πŸ”‘

Bearer Token

Authorization: Bearer <token>

#

API Key Header

X-Api-Key: <key>

βš™

Custom Headers

Any header name + value

🌐

OAuth 2.0

PKCE Β· DCR support

Bearer Token

eyJhbGciOi…

Stored encrypted β€” never visible after saving.

βœ“ Save auth configuration
πŸ’‘

For a truly open API you only need the base URL to be correct. Cast forwards every request to it verbatim.

5. Enable tools

Below the auth section is the tool list. Every operation from your OpenAPI spec appears here. Toggle on the ones you want agents to be able to call. For testing, enable everything except the ones you want to restrict (e.g. delete endpoints).

Configure β†’ Toolsactual UI
GET

listItems

/api/items

POST

createItem

/api/items

GET

getItem

/api/items/{id}

DELETE

deleteItem

/api/items/{id}

GET

echoRequest

/api/echo

GET

healthCheck

/api/health

Save changes

Click Save changes. Cast encrypts your config (even the empty auth in this case) and reloads the MCP server.

6. Get your MCP URL

Switch to the Connect tab. Cast shows you a ready-to-paste config for each supported client.

Workspace navigationactual UI
overview
upload
configure
connect
analytics
logs
Connect β†’ Your MCP URLactual UI
Claude Desktop
Cursor
Windsurf
Cline
claude_desktop_config.json⎘ Copy
{
  "mcpServers": {
    "test-unauthenticated": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote@latest",
        "https://mcp.getcast.io/test-unauthenticated-cmpqfpkqh000f"
      ]
    }
  }
}
Server active Β· 0 errors

7. Connect Claude Desktop

Copy the config from the Connect tab and paste it into your claude_desktop_config.json. Restart Claude Desktop, open a new conversation, and ask it to list items from your API.

Next steps

Once you're comfortable with the flow, add real authentication. The next tutorial covers API key auth β€” the most common pattern for developer APIs.

Keep reading

MCP servers with API key authentication

Secure your MCP server with an API key. Learn how to configure Cast's API Key Header mode and which UI fields to fill in.