Updated March 2026 — Based on published documentation and GitHub source
Choose sigbit if you only need OAuth authentication and have no compliance or multi-user requirements — it’s free and does that job well. Choose MCP Zero-Trust Proxy if you need tool-level RBAC, session isolation, audit logging, rate limiting, or multi-tenant deployments.
| Feature | MCP Zero-Trust Proxy | MCP Auth Proxy (sigbit) |
|---|---|---|
| OAuth Authentication | ✓ GitHub, Google, OIDC | ✓ OAuth 2.0 |
| OAuth 2.1 PKCE | ✓ Full PKCE flow | ✗ OAuth 2.0 only |
| Tool-Level RBAC | ✓ Per-tool, per-user rules | ✗ Not available |
| Session Isolation | ✓ Per-user session store | ✗ Not available |
| Audit Logging | ✓ JSONL, file rotation | ✗ Not available |
| Rate Limiting | ✓ Per-client token bucket | ✗ Not available |
| Multi-Provider Auth | ✓ GitHub, Google, OIDC | Varies |
| Docker Deployment | ✓ Single-command | ✓ Available |
| Drop-in Proxy | ✓ Zero server changes | ✓ Zero server changes |
| Pricing | Free (1 server) — $49/mo Pro — $199/mo Enterprise | Free, open-source (MIT) |
| License | Commercial (Free tier available) | MIT (fully open-source) |
MCP Auth Proxy by theailanguage (known as sigbit in the community) is a solid, straightforward open-source project that does exactly what it promises: adds OAuth authentication to MCP servers with zero server modifications. It’s a well-designed tool for developers who only need authentication and have no compliance or access-control requirements. It’s genuinely the right choice if your use case is simple — free, no lock-in, and you can read every line of the code.
The gap becomes relevant when teams grow past a single developer, when different users need different permissions, or when any form of auditing or compliance is required. Those capabilities require additional complexity that sigbit intentionally doesn’t include in order to stay simple and focused.
One Docker command. Full auth, RBAC, audit logging, and rate limiting. Free tier available — no credit card required.
Get Started Free