feat(mcp): OAuth 2.1 + PKCE for outbound MCP servers

[waleedlatif1]

Summary

• Adds spec-compliant OAuth 2.1 + PKCE support for outbound MCP servers via the SDK's OAuthClientProvider
• Auto-detects OAuth requirement on server create via unauthenticated probe (WWW-Authenticate / oauth-protected-resource)
• Persists per-user-per-server tokens (encrypted) in new mcp_server_oauth table; SDK refreshes automatically before expiry
• Popup-based consent flow (/api/mcp/oauth/start → /api/mcp/oauth/callback) with state CSRF protection
• Pre-registered OAuth client support (Client ID + Secret in Advanced settings) for servers without RFC 7591 DCR
• Surfaces reauth_required from tool execution when refresh token is invalid so the UI can prompt to reconnect

Type of Change

• New feature

Testing

Tested manually against OAuth-protected MCP servers (Linear). Existing header-auth servers regression-checked.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 6, 2026 3:29am

[cursor]

PR Summary

High Risk
Introduces new OAuth token storage and auth flows (including popup + callback) and changes MCP client connection logic; mistakes could impact authentication security, token isolation, or connectivity across users/servers.

Overview
Adds OAuth 2.1 + PKCE support for outbound MCP servers, including new /api/mcp/oauth/start and /api/mcp/oauth/callback endpoints that drive the SDK auth flow, persist state/verifiers, and refresh discovered tools after authorization.

Extends MCP server CRUD to support authType plus optional pre-registered OAuth client credentials (stored encrypted), auto-detects OAuth need via a probe on create, and clears per-user OAuth records when URL/credentials change; server responses now include hasOauthClientSecret instead of returning secrets.

Updates MCP execution and connectivity to treat OAuth reauth as a first-class state: McpClient/McpService attach an authProvider per user, the connection manager scopes persistent connections by serverId:userId, and tool execution returns a 401 reauth_required payload when OAuth authorization is needed. UI adds an advanced section for OAuth credentials and a Connect with OAuth flow using a new useMcpOauthPopup hook, plus query-key/mutation refactors to keep server/tool lists in sync.

^{Reviewed by Cursor Bugbot for commit ddae8eb. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds OAuth 2.1 + PKCE support for outbound MCP servers, including a popup-based consent flow, per-user encrypted token storage in a new mcp_server_oauth table, automatic OAuth type detection via an unauthenticated probe, and pre-registered client credential support for servers without RFC 7591 DCR.

• New mcp_server_oauth table holds per-(server, user) OAuth artifacts (client info, tokens, PKCE verifier, state hash); all sensitive fields are encrypted at rest using the existing encryptSecret/decryptSecret helpers.
• Connection manager now keys OAuth connections per-user (preventing cross-user token leakage), while header/no-auth connections share a single keyed slot as before.
• reauth_required response code is surfaced from tool execution when the refresh token is invalid, and UnauthorizedError is handled in both batch discovery and per-server summary paths so expired-token servers show disconnected (not error) in the settings UI.

Confidence Score: 5/5

Safe to merge; the OAuth flow, token storage, and credential-change cleanup are all correctly implemented and well-isolated from existing header-auth paths.

State is stored as a SHA-256 hash (never plaintext), tokens and the PKCE code verifier are encrypted at rest, state is burned before the token exchange to prevent replay, and the authorization URL is validated for https-only before window.open. The connection manager correctly scopes OAuth connections per-user to prevent cross-user token leakage. Both PATCH and POST upsert paths clear stale OAuth tokens when credentials or URLs change.

mcp-server-form-modal.tsx — the hasOauthClientSecret flag is tracked in state but not surfaced as a UI indicator on the password input, which could confuse users editing a server that already has a stored secret.

Important Files Changed

Filename	Overview
apps/sim/lib/mcp/oauth/storage.ts	New file: DB persistence for OAuth artifacts; tokens, client info, and code verifier are all encrypted; state stored as SHA-256 hash; race-safe upsert for row creation.
apps/sim/lib/mcp/oauth/provider.ts	New file: implements OAuthClientProvider for the MCP SDK, routing state/verifier/token persistence to storage.ts; pre-registered client bypass correctly skips DCR save.
apps/sim/app/api/mcp/oauth/callback/route.ts	New file: OAuth callback handler; state burned before token exchange; server ID sanitized with JSON.stringify + Unicode escaping in inline script; user identity verified against row.
apps/sim/app/api/mcp/oauth/start/route.ts	New file: initiates OAuth flow via McpOauthRedirectRequired; authType guard prevents non-OAuth servers from being authorized; workspace membership enforced by withMcpAuth middleware.
apps/sim/lib/mcp/oauth/probe.ts	New file: unauthenticated probe classifies server auth type; 401 without OAuth WWW-Authenticate params falls back to 'headers'; non-401/non-ok responses also default to 'headers'.
apps/sim/app/api/mcp/servers/route.ts	POST upsert now preserves OAuth credentials when not re-supplied; token cleanup runs when URL or credentials change; authType preserved on URL-unchanged edits to prevent transient probe downgrade.
apps/sim/app/api/mcp/servers/[id]/route.ts	PATCH wraps update + token cleanup in a transaction; secret only written when explicitly present; auto-promotes to OAuth when client ID is added to a non-OAuth server.
apps/sim/lib/mcp/service.ts	createClient now builds per-user OAuthClientProvider for OAuth servers; McpOauthAuthorizationRequiredError and UnauthorizedError both set connectionStatus to 'disconnected' rather than incrementing failedCount.
apps/sim/lib/mcp/connection-manager.ts	Connection key is now user-scoped for OAuth to prevent cross-user token leakage; disconnect refactored to disconnectByKey (private) + disconnectServer (public, all users for that server).
apps/sim/hooks/queries/mcp.ts	useStartMcpOauth added; authorizationUrl validated for https-only (plus localhost http) before window.open; mcpKeys restructured with hierarchical factory functions for better invalidation granularity.
apps/sim/app/workspace/[workspaceId]/settings/components/mcp/components/mcp-server-form-modal/mcp-server-form-modal.tsx	Advanced settings panel added for pre-registered credentials; secretTouched flag prevents unintentional secret wipes in edit mode; looksLikeAuthRequired heuristic bypasses test failure for OAuth servers.
packages/db/schema.ts	New mcp_server_oauth table with ON DELETE CASCADE references; unique index on (mcpServerId, userId); state indexed for fast callback lookup. authType, oauthClientId, oauthClientSecret added to mcpServers.

Sequence Diagram

sequenceDiagram
    participant UI as Browser (MCP Settings)
    participant Start as /api/mcp/oauth/start
    participant CB as /api/mcp/oauth/callback
    participant AS as Authorization Server
    participant DB as mcp_server_oauth

    UI->>Start: GET ?serverId&workspaceId
    Start->>DB: getOrCreateOauthRow()
    Start->>Start: SimMcpOauthProvider.state() save hash(state) to DB
    Start->>AS: discover metadata (via SDK mcpAuth)
    AS-->>Start: McpOauthRedirectRequired(authorizationUrl)
    Start-->>UI: status redirect authorizationUrl

    UI->>UI: validate https scheme
    UI->>AS: window.open(authorizationUrl) user consent

    AS->>CB: GET /api/mcp/oauth/callback?code=&state=
    CB->>DB: loadOauthRowByState(hash(state))
    CB->>DB: clearState() burn before exchange
    CB->>AS: mcpAuth(provider, authorizationCode)
    Note over CB,AS: PKCE token exchange using codeVerifier()
    AS-->>CB: access_token + refresh_token
    CB->>DB: saveTokens(encrypted)
    CB->>DB: clearVerifier()
    CB-->>UI: postMessage type mcp-oauth ok true serverId

    UI->>UI: invalidate server/tool queries show Connected

Loading

_{Reviews (23): Last reviewed commit: "fix(mcp): use canonical serverId from co..." | Re-trigger Greptile}

[waleedlatif1]

Greptile summary findings addressed in f587e82:

• Edit modal drops existing OAuth Client ID: editInitialData now includes oauthClientId; the API already returns it (only the secret is masked) so the field populates and Advanced auto-expands.
• Shared OAuth mutation disables all buttons: per-server pending tracked in a local Set<string>; the spinner is scoped to the card whose flow is in progress.
• Plaintext PKCE codeVerifier: now encrypted at rest via encryptSecret to match tokens/clientInformation.

The point about clearing a pre-registered Client ID by emptying the field is a follow-up — oauthClientId || undefined collapses an intentional clear into a no-op. Will tackle when adding TTL cleanup for abandoned OAuth sessions.

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ddae8eb. Configure here.}

[cursor]

Unstable mutation object defeats useCallback memoization

Low Severity

The useCallback dependency array includes startOauthMutation (the entire mutation result object), which is NOT referentially stable in TanStack Query v5 — it gets a new reference on every render. Only .mutate and .mutateAsync are stable. This makes the useCallback wrapper completely ineffective, recreating startOauthForServer every render. The dependency should be startOauthMutation.mutateAsync instead. The PR author explicitly acknowledged .mutate stability in comments elsewhere, making this an inconsistency.

 

^{Reviewed by Cursor Bugbot for commit ddae8eb. Configure here.}

[cursor]

POST upsert forces OAuth servers to disconnected despite valid tokens

Low Severity

When an existing OAuth server is updated via the POST upsert path (same URL, matching generated ID), connectionStatus is unconditionally set to 'disconnected' and lastConnected to null if resolvedAuthType === 'oauth', regardless of whether the OAuth row (and its tokens) was actually cleared. When shouldClearOauth is false (no URL or credential change), the user's valid tokens are preserved but the server appears disconnected, prompting an unnecessary re-auth.

 

^{Reviewed by Cursor Bugbot for commit ddae8eb. Configure here.}