How GenomOncology uses Stytch to secure open biomedical APIs for LLMs

GenomOncology, a leading precision medicine company specializing in tertiary genomic analysis & reporting, clinical trial matching, and data enablement, has used its expertise in translating complex genomic data into clinical insights to develop BioMCP—an open-source implementation of the Model Context Protocol (MCP). BioMCP enables AI agents to access and interpret complex biomedical data, connecting conversational AI with scientific literature, clinical trials, and genomic information. This empowers researchers and clinicians to engage with specialized biomedical knowledge through natural language.

From raw sequences to runnable APIs

BioMCP is an open-source server that bridges large language models with trusted biomedical sources via the standardized Model Context Protocol. Instead of relying on scraping or document ingestion, it provides structured, API-based access to databases like ClinicalTrials.gov, PubMed, PubTator3, and MyVariant. For instance, an AI can ask, “What phase III trials are targeting KRAS G12C in lung cancer?” and receive a precise, data-grounded answer.

BioMCP was initially designed to be composable, fast, and developer-friendly, performing effectively in controlled environments. However, its transition to a public release introduced new security requirements, prompting the GenomOncology team to implement a robust solution.

Cracking the serverless auth challenge

Running on a Cloudflare Worker, the system offers low latency and worldwide reach, but leaving no traditional server to house authentication logic. Without a Node or Python backend to store tokens or manage sessions, any sign-in or token issuance has to be added separately.

GenomOncology chose OAuth, both because it’s the industry standard and because LLM-friendly tools such as Claude Desktop and MCP Inspector already expect it. For a smooth connection, users need to:

1. Open the OAuth sign-in link
2. Log in and grant access
3. Receive a bearer token
4. Use that token to call BioMCP

Straightforward in theory, yet trickier to implement when the entire application is serverless.

Why they chose Stytch

Initially they considered building the infrastructure themselves but quickly realized that this required significant engineering resources to research, build, and maintain the complex logic on their own. So they began evaluating auth vendors that supported their agentic use case.

What stood out about Stytch was the developer experience. The team was looking for a solution that offered the capabilities of an OAuth-compliant identity platform, without the overhead of managing provisioning, user stores, or getting locked into a vendor.

Here’s what sealed it:

• Self-service client registration: new apps register themselves instantly; no manual approvals or admin dashboards.
• Ready-made discovery docs: standards-compliant OpenID endpoints are available from day one; nothing to hand-roll.
• Serverless-first SDKs: Stytch hooks straight into the Cloudflare Worker that fronts BioMCP.
• Reliable tokens: signed JWTs carry the correct scopes and just work, with no key juggling.

The entire integration took less than a day, tutorial and all.

Inside the BioMCP × Stytch architecture

The current setup looks like this:

• Cloudflare Worker as gateway: Sits in front of BioMCP, routing every call and enforcing OAuth.
• Stytch for auth: Handles sign-in and consent, then issues JWTs the Worker accepts as bearer tokens.
• Self-service clients: Any tool — Claude Desktop, a Python CLI, or a hospital chatbot, can register its own client ID and redirect URI on the fly.
• State in Cloudflare KV: Tokens and session data live in the Worker’s built-in key-value store, keeping the stack lean.
• Security baked in: The public tutorial covers secret rotation, short-lived tokens, and tight scopes.

The entire flow is running in production and fully open-sourced, curl commands and all.

Why this matters

Integrating Stytch into BioMCP goes far beyond trimming YAML or skipping a dashboard. It lets GenomOncology offer secure, reliable access to data that could influence patient care and regulatory filings—where authentication can’t be an after-thought.

Stytch delivers three key benefits

1. Security that can grow: Start with lightweight OAuth today, scale up to enterprise or HIPAA-ready auth tomorrow.
2. Zero custom auth code: A config file and API keys replace an entire backend, so the team can stay focused on BioMCP’s core features.
3. Built-in trust: The full, open-source flow shows exactly how tokens are issued and verified, giving other bio-AI teams a blueprint they can adopt with confidence.

Key takeaways for bio-AI builders

BioMCP is a compact project with outsized reach. It shows that open data, concise APIs, and lean serverless auth can strip away much of the usual friction in biomedical workflows.

Stytch’s role is utilitarian: it supplies the OAuth backbone that slots into the Cloudflare Worker setup, eliminating the need for extra servers or hand-rolled token logic.

For engineers securing an LLM-facing tool or wrapping a sensitive dataset, the takeaway is simple: start with solid, transparent auth, keep the stack lean, and let the rest of the application do the heavy lifting. The BioMCP codebase is open—feel free to borrow what helps and build from there.