Skip to content

Commit be64abb

Browse files
kennyj42kennyj42
authored
Update MCP server OAuth registration details
Clarified the limitations of MCP servers regarding OAuth dynamic client registration and provided details on using shared bearer tokens.
1 parent fac99bc commit be64abb

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -443,7 +443,7 @@ MCP server portals have the following known limitations:
443443

444444
- **Some MCP servers block proxy-based clients.** Certain MCP servers reject requests from proxy-based clients like MCP server portals, returning a `403` error on the registration endpoint. These servers are not compatible with MCP server portals until those providers add Cloudflare as a supported MCP client.
445445

446-
- **Not all MCP servers support OAuth dynamic client registration.** MCP servers that do not support OAuth dynamic client registration cannot use the portal's OAuth authentication flow. For these servers, select **Custom Headers** as the authentication method and provide static credentials (for example, API keys or personal access tokens) instead.
446+
- **Not all MCP servers support OAuth dynamic client registration.** MCP servers that do not support OAuth dynamic client registration cannot use the portal's OAuth authentication flow. For these servers, you may upload a shared bearer token via the [api](https://developers.cloudflare.com/api/resources/zero_trust/subresources/access/subresources/ai_controls/subresources/mcp/subresources/servers/methods/create#(resource)%20zero_trust.access.ai_controls.mcp.servers%20%3E%20(method)%20create%20%3E%20(params)%200%20%3E%20(param)%20auth_type%20%3E%20(schema)). Static OAuth or per user bearer tokens are not yet supported.
447447

448448
- **Admin OAuth tokens can expire silently.** The admin credential used to [authenticate an MCP server](#reauthenticate-the-mcp-server) is subject to the upstream provider's token expiration policy. When the token expires, the server status changes to **Error** and the server will not appear in the portal for end users. Admins are not notified when this happens. Periodically check the [server status](#server-status) and [reauthenticate](#reauthenticate-the-mcp-server) servers that show an error.
449449

0 commit comments

Comments
 (0)