Streamable HTTP transport for MCP (recommended).

Provides a single POST endpoint for bidirectional communication. This is the modern replacement for SSE transport.

Options

• :server_module (required) — the MCP server module to route requests to
• :server_name — advertised server name in the initialize response (falls back to the module's __endpoint_config__/0 if defined)
• :server_version — advertised server version (same fallback behavior)
• :auth — authentication plug configuration. See ConduitMcp.Plugs.Auth.
• :rate_limit — HTTP-level rate limit configuration. See ConduitMcp.Plugs.RateLimit.
• :message_rate_limit — per-message rate limit configuration. See ConduitMcp.Plugs.MessageRateLimit.
• :session — session-store configuration. Enables Mcp-Session-Id handling. See ConduitMcp.Session.
• :allowed_origins — list of allowed Origin header values (also accepts "*" and regex). See ConduitMcp.Plugs.OriginValidation.
• :cors_origin — CORS allow-origin header (default: "*")
• :cors_methods — CORS allow-methods header (default: "GET, POST, OPTIONS")
• :cors_headers — CORS allow-headers header (default: "content-type, authorization")

When used via ConduitMcp.Endpoint, the :auth, :rate_limit, and :message_rate_limit options are auto-extracted from the endpoint config unless overridden here.

Example

{Bandit,
 plug: {ConduitMcp.Transport.StreamableHTTP,
        server_module: MyApp.MCPServer,
        cors_origin: "https://myapp.com",
        cors_methods: "POST, OPTIONS",
        cors_headers: "content-type"},
 port: 4001}

With Authentication

{Bandit,
 plug: {ConduitMcp.Transport.StreamableHTTP,
        server_module: MyApp.MCPServer,
        auth: [
          enabled: true,
          strategy: :bearer_token,
          token: "my-secret-token"
        ]},
 port: 4001}

Or with custom verification:

{Bandit,
 plug: {ConduitMcp.Transport.StreamableHTTP,
        server_module: MyApp.MCPServer,
        auth: [
          strategy: :function,
          verify: &MyApp.Auth.verify_token/1
        ]},
 port: 4001}