Skip to content

Comments

fix: make callbackHost optional in addMcpServer for non-OAuth servers#963

Merged
threepointone merged 1 commit intomainfrom
fix-mandatory-callbackhost
Feb 21, 2026
Merged

fix: make callbackHost optional in addMcpServer for non-OAuth servers#963
threepointone merged 1 commit intomainfrom
fix-mandatory-callbackhost

Conversation

@threepointone
Copy link
Contributor

@threepointone threepointone commented Feb 21, 2026

addMcpServer() previously required a callbackHost (either explicitly or derived from the request context) and eagerly created an OAuth auth provider for every connection, even when the MCP server does not use OAuth. This made simple non-OAuth connections unnecessarily difficult — especially from @callable methods where the request context origin is unreliable (it's the WebSocket upgrade request, not the client's origin).

This PR defers OAuth setup to when it's actually needed:

  • callbackHost, callbackUrl, and authProvider are only constructed when a callbackHost is available
  • If the MCP server responds with AUTHENTICATING (401) but no callbackUrl was configured, a clear error is thrown: "This MCP server requires OAuth authentication. Provide callbackHost in addMcpServer options to enable the OAuth flow."
  • The restore-from-storage flow skips authProvider creation for servers with no stored callback_url
  • callbackPath enforcement for sendIdentityOnConnect: false is only applied when a callbackHost is present (no callback URL to protect otherwise)

Before

// Always required callbackHost, even for non-OAuth servers
await this.addMcpServer("my-server", url, {
  callbackHost: "https://my-app.workers.dev"
});

After

// Non-OAuth servers: just name and URL
await this.addMcpServer("my-server", url);

// OAuth servers: provide callbackHost
await this.addMcpServer("oauth-server", url, {
  callbackHost: "https://my-app.workers.dev"
});

@threepointone
Make callbackHost optional for MCP servers
dc6de1d 
Allow addMcpServer to omit callbackHost for MCP servers that do not use OAuth. The agent no longer derives a callback URL or eagerly creates an OAuth auth provider unless a callbackHost is provided or the server actually requires OAuth; if the server returns AUTHENTICATING without a callbackHost a clear error is thrown. Updated enforcement so callbackPath is only required when sendIdentityOnConnect is false and a callbackHost is present. MCP client manager now accepts an optional callback_url and skips creating auth providers when none is stored. Added tests covering no-options usage and the relaxed enforcement behavior and added a changeset entry.
@changeset-bot
Copy link

changeset-bot bot commented Feb 21, 2026

🦋 Changeset detected

Latest commit: dc6de1d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
agents Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@pkg-pr-new
Copy link

pkg-pr-new bot commented Feb 21, 2026

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/agents@963

npm i https://pkg.pr.new/cloudflare/agents/@cloudflare/ai-chat@963

npm i https://pkg.pr.new/cloudflare/agents/@cloudflare/codemode@963

npm i https://pkg.pr.new/cloudflare/agents/hono-agents@963

commit: dc6de1d

@threepointone threepointone merged commit b848008 into main Feb 21, 2026
4 checks passed
@threepointone threepointone deleted the fix-mandatory-callbackhost branch February 21, 2026 13:52
@github-actions github-actions bot mentioned this pull request Feb 21, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@threepointone