Architecture
Bloque has three runtime components.
Components
Web App
The Bloque web app at bloque.run handles:
- User authentication (OAuth 2.1)
- Hub and MCP server configuration
- API key management
- Logs UI, Playground UI, Shared Hubs
MCP Router
The MCP Router exposes the MCP endpoint (https://mcp.bloque.run/mcp) that your AI clients connect to. Every connection passes through the Router, which:
- Validates the API key in the
Authorization: Bearerheader - Looks up the Hub associated with the key
- Applies sticky-session routing so a client session always reaches the same runner
- Forwards the connection to the MCP Proxy
MCP Proxy / Runner
The MCP Proxy (runner) executes MCP server processes on behalf of your Hub. For each active session it:
- Launches stdio processes with the configured command, args, and environment variables
- Connects to remote SSE or HTTP MCP servers
- Decrypts and injects per-Hub credentials at runtime
- Handles upstream OAuth token refresh transparently
Free and Starter plans share a single pool of proxy instances. Pro plans will run on dedicated proxy instances (coming soon).
Request flow
MCP Client
│ POST /mcp (Bearer <api-key>)
▼
MCP Router
│ validate key → look up Hub → sticky-session routing
▼
MCP Proxy
│ decrypt credentials → launch / connect MCP servers
▼
MCP Server processes (stdio / SSE / HTTP)
Security
| Layer | Mechanism |
|---|---|
| Transport | HTTPS for all external connections |
| Authentication | Bearer API key validated at the Router |
| Credential storage | AES-256-GCM encryption per Hub |
Execution boundary
Because stdio-based MCP server processes run inside Bloque's MCP Proxy rather than on your local machine, they cannot access your local filesystem directly. See Execution Boundary for details and the /shared filesystem workaround.