Labsco
zoharbabin logo

Kaltura MCP Server

β˜… 5

from zoharbabin

A server for performing secure, read-only operations on the Kaltura API.

πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedAccount requiredNeeds API keys

Kaltura MCP Server

A Model Context Protocol (MCP) server that provides secure, read-only tools for managing Kaltura API operations. This server enables AI assistants to search, discover, and analyze Kaltura media content safely.

Features

  • Media Discovery: Search and browse media entries with advanced filtering
  • Content Analysis: Access captions, transcripts, and attachment content
  • Category Management: Browse and explore content categories
  • Analytics: Retrieve viewing analytics and performance metrics
  • Secure Access: Read-only operations with comprehensive input validation
  • Session Management: Automatic session handling with configurable expiry

Remote MCP Server (Advanced)

User Authorization Flow

  1. Server Deployment: Deploy the remote server to your hosting environment
  2. User Authorization: Users visit https://your-server.com/oauth/authorize
  3. Credential Entry: Users securely enter their Kaltura credentials via web form
  4. Token Generation: Server generates a JWT token with encrypted credentials
  5. Client Configuration: Users add the server URL and token to their MCP client

Step-by-Step Remote Setup

1. Generate Secure JWT Secret

# Generate a strong secret key
python -c "import secrets; print(secrets.token_urlsafe(32))"

2. Configure Environment

# Set in your .env file or environment
JWT_SECRET_KEY=your-generated-secret-key-here
OAUTH_REDIRECT_URI=https://your-domain.com/oauth/callback
SERVER_HOST=0.0.0.0
SERVER_PORT=8000

3. Deploy Server

Option A: Direct Python

kaltura-mcp-remote

Option B: Docker

docker-compose up -d

Option C: Production with Gunicorn (Optional)

# Install gunicorn separately if needed for production
pip install gunicorn
gunicorn -w 4 -k uvicorn.workers.UvicornWorker kaltura_mcp.remote_server:app

4. User Onboarding

Send users to: https://your-server.com/oauth/authorize?response_type=code&client_id=kaltura-mcp&redirect_uri=https://your-server.com/oauth/callback&state=user123

5. Client Configuration

For Claude Desktop (Remote Mode):

The easiest way to use the remote server with Claude Desktop is via the proxy client:

{
  "mcpServers": {
    "kaltura-remote": {
      "command": "kaltura-mcp-proxy",
      "env": {
        "KALTURA_REMOTE_SERVER_URL": "https://your-server.com/mcp/messages",
        "KALTURA_REMOTE_ACCESS_TOKEN": "your-jwt-token-from-authorization-flow"
      }
    }
  }
}

The proxy client (kaltura-mcp-proxy) acts as a local stdio MCP server that forwards requests to your remote server. This provides the best compatibility with Claude Desktop.

For Custom MCP Clients:

// HTTP transport with authentication
const transport = new HTTPTransport({
  baseUrl: "https://your-server.com/mcp/messages",
  headers: {
    "Authorization": "Bearer user-jwt-token-here"
  }
});

Analytics Documentation

The MCP server provides a comprehensive analytics suite with purpose-driven functions optimized for different use cases:

Purpose-Built Analytics Functions:

  • get_analytics: Comprehensive reporting data in table format for detailed analysis
  • get_analytics_timeseries: Time-series data optimized for charts and visualizations
  • get_video_retention: Detailed viewer retention curves showing exactly where viewers drop off
  • get_realtime_metrics: Live analytics updated every ~30 seconds for monitoring
  • get_quality_metrics: Quality of Experience (QoE) metrics for streaming performance
  • get_geographic_breakdown: Location-based analytics at country, region, or city level

Analytics Capabilities:

  • 60+ report types covering content, users, geography, platforms, and more
  • Raw data access for custom analysis and visualization
  • Intelligent insights including drop-off points and engagement patterns
  • Support for filtering by date ranges, categories, users, and dimensions

For comprehensive documentation, see:

Security Considerations

Production Deployment

  • Use HTTPS: Always deploy with TLS/SSL certificates
  • Secure JWT Secret: Use a cryptographically strong secret key (32+ bytes)
  • Environment Security: Never commit secrets to version control
  • Network Security: Use firewalls and VPN access where appropriate
  • Regular Updates: Keep dependencies updated for security patches

JWT Token Security

  • Token Expiration: Tokens expire after 24 hours by default
  • Credential Encryption: Kaltura credentials are encrypted within JWT payload
  • Scope Limitation: Tokens are limited to read-only Kaltura operations
  • Revocation: Restart server to invalidate all existing tokens

Infrastructure

# Example nginx configuration for production
server {
    listen 443 ssl;
    server_name your-kaltura-mcp.com;
    
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    location / {
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Docker Deployment

docker-compose.yml for production:

version: '3.8'
services:
  kaltura-mcp:
    build: .
    ports:
      - "8000:8000"
    environment:
      - JWT_SECRET_KEY=${JWT_SECRET_KEY}
      - OAUTH_REDIRECT_URI=https://your-domain.com/oauth/callback
      - SERVER_HOST=0.0.0.0
      - SERVER_PORT=8000
    restart: unless-stopped
    volumes:
      - ./logs:/app/logs
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.kaltura-mcp.rule=Host(\`your-domain.com\`)"
      - "traefik.http.routers.kaltura-mcp.tls=true"

Monitoring & Logging

The remote server provides built-in logging and can be monitored via:

  • Health Check: GET / returns server status
  • Metrics: Access logs via Docker volumes or server logs
  • Error Tracking: Configure external error tracking services

Important Security Notes

Local Mode Security (Recommended)

  • βœ… Direct Configuration - Credentials configured directly in Claude Desktop
  • βœ… MCP Standard Compliance - Client passes credentials to server via environment variables
  • βœ… Process Isolation - MCP server runs in isolated process with limited scope
  • βœ… No network exposure - Direct API communication with Kaltura
  • βœ… Local credential storage - Credentials never leave your machine
  • βœ… Secure transmission - Credentials passed securely to MCP server process

Remote Mode Security

  • βœ… Credential encryption - Kaltura credentials encrypted in JWT tokens
  • βœ… Token expiration - Automatic 24-hour token expiry
  • βœ… TLS encryption - HTTPS required for production
  • ⚠️ Server trust - You must trust the remote server operator
  • ⚠️ Credential transmission - Credentials are sent to remote server (encrypted)

Production Checklist

  • Use HTTPS with valid certificates
  • Generate strong JWT secret key (32+ bytes)
  • Configure secure environment variables
  • Set up proper logging and monitoring
  • Implement rate limiting (nginx/cloudflare)
  • Regular security updates
  • Backup and disaster recovery plan

Deployment Architectures

Personal Use (Recommended)

Claude Desktop ←→ Local MCP Server ←→ Kaltura API

Small Team

Claude Desktop ←→ Proxy Client ←→ Remote MCP Server ←→ Kaltura API

Enterprise

Multiple Clients ←→ Load Balancer ←→ Multiple MCP Servers ←→ Kaltura API
                                          ↓
                                    Redis/Database

Documentation

Development

Running Tests

pytest

Code Formatting

black src/
ruff check src/

License

MIT