feat(oauth): spec-compliant MCP OAuth on mcp.firecrawl.dev#238
Merged
Conversation
…h credential handling in the FastMCP server. Introduced new functions for OAuth issuer and resource URL management, and improved error handling for token introspection. Updated type definitions to support new OAuth options.
… definitions and modified API key handling to improve clarity and consistency. Changed header authorization method for token introspection requests.
…esource URL handling in index.ts. Improved error handling and added comments for clarity in the getOAuthProtectedResourceMetadataUrl function.
…ied functions for clarity, ensuring the OAuth protected resource metadata URL is derived directly from the MCP resource URL. Improved comments for better understanding of the changes.
erikengervall
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wires up the 2025-06-18 MCP Authorization spec and RFC 9728 end to end on the cloud MCP server. Unauthenticated requests to
https://mcp.firecrawl.dev/v2/mcpnow return401withWWW-Authenticate: Bearer resource_metadata="..."pointing at the MCP server's own PRM, the PRM correctly identifiesmcp.firecrawl.dev/v2/mcpas the protected resource, advertises the AS atwww.firecrawl.dev, and lists the scope the AS actually accepts.