sigbit · hrntknr · Apr 3, 2026 · Apr 3, 2026
diff --git a/pkg/mcp-proxy/main.go b/pkg/mcp-proxy/main.go
@@ -298,6 +298,10 @@ func Run(
 	router := gin.New()
 	router.SetTrustedProxies(trustedProxy)
 
+	router.GET("/healthz", func(c *gin.Context) {
+		c.JSON(http.StatusOK, gin.H{"status": "ok"})
+	})
+
 	router.Use(ginzap.Ginzap(logger, time.RFC3339, true))
 	router.Use(ginzap.RecoveryWithZap(logger, true))
 	store := cookie.NewStore(secret)

diff --git a/pkg/mcp-proxy/main_test.go b/pkg/mcp-proxy/main_test.go
@@ -2,10 +2,13 @@ package mcpproxy
 
 import (
 	"crypto/rsa"
+	"encoding/json"
 	"errors"
 	"net/http"
+	"net/http/httptest"
 	"testing"
 
+	"github.com/gin-gonic/gin"
 	"github.com/sigbit/mcp-auth-proxy/pkg/proxy"
 	"github.com/stretchr/testify/require"
 )
@@ -67,3 +70,29 @@ func TestRun_PassesHTTPStreamingOnlyToProxyRouter(t *testing.T) {
 	require.Contains(t, err.Error(), "failed to create proxy router")
 	require.True(t, streamingOnlyReceived, "httpStreamingOnly should be forwarded to proxy router")
 }
+
+func TestHealthzEndpoint(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+	router := gin.New()
+
+	// Register healthz before auth middleware, same as in Run()
+	router.GET("/healthz", func(c *gin.Context) {
+		c.JSON(http.StatusOK, gin.H{"status": "ok"})
+	})
+
+	// Add a catch-all that returns 401 to simulate auth middleware
+	router.Use(func(c *gin.Context) {
+		c.AbortWithStatus(http.StatusUnauthorized)
+	})
+
+	w := httptest.NewRecorder()
+	req, _ := http.NewRequest("GET", "/healthz", nil)
+	router.ServeHTTP(w, req)
+
+	require.Equal(t, http.StatusOK, w.Code)
+
+	var body map[string]string
+	err := json.Unmarshal(w.Body.Bytes(), &body)
+	require.NoError(t, err)
+	require.Equal(t, "ok", body["status"])
+}