From fa780fa85be93718f16a5f710a64bfb2ce7ec89b Mon Sep 17 00:00:00 2001 From: lanxevo3 Date: Thu, 26 Mar 2026 16:55:19 -0500 Subject: [PATCH 1/2] fix(auth): enforce form-urlencoded Content-Type for token endpoint MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OAuth 2.1 §3.2 requires token endpoint requests to use application/x-www-form-urlencoded regardless of grant type. Add an explicit header.set() call immediately before the fetch in executeTokenRequest() to prevent any addClientAuthentication implementation from accidentally overriding the Content-Type. Fixes modelcontextprotocol/inspector#1160 --- packages/client/src/client/auth.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/packages/client/src/client/auth.ts b/packages/client/src/client/auth.ts index 1a021be18..0391e35e9 100644 --- a/packages/client/src/client/auth.ts +++ b/packages/client/src/client/auth.ts @@ -1439,6 +1439,10 @@ export async function executeTokenRequest( applyClientAuthentication(authMethod, clientInformation as OAuthClientInformation, headers, tokenRequestParams); } + // Ensure Content-Type is always form-urlencoded for the token endpoint (OAuth 2.1 §3.2). + // Some addClientAuthentication implementations may have inadvertently set a different value. + headers.set('Content-Type', 'application/x-www-form-urlencoded'); + const response = await (fetchFn ?? fetch)(tokenUrl, { method: 'POST', headers, From 57d0f8e2a19801af7af2e1a13f07053395581663 Mon Sep 17 00:00:00 2001 From: lanxevo3 Date: Sat, 28 Mar 2026 11:21:11 -0500 Subject: [PATCH 2/2] fix(client): preserve user-supplied Accept header instead of overwriting unconditionally Custom Accept headers set in MCP server configuration (e.g. 'application/vnd.example.v1+json') were unconditionally overwritten with 'application/json, text/event-stream', breaking APIs that require specific Accept values. Now only sets the default Accept header when no Accept header has already been supplied by the caller. The SSE GET channel Accept header is unaffected since it must always be 'text/event-stream'. Fixes #1646. --- packages/client/src/client/streamableHttp.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/client/src/client/streamableHttp.ts b/packages/client/src/client/streamableHttp.ts index 3d45b60e9..ccf575ed3 100644 --- a/packages/client/src/client/streamableHttp.ts +++ b/packages/client/src/client/streamableHttp.ts @@ -491,7 +491,9 @@ export class StreamableHTTPClientTransport implements Transport { const headers = await this._commonHeaders(); headers.set('content-type', 'application/json'); - headers.set('accept', 'application/json, text/event-stream'); + if (!headers.has('accept')) { + headers.set('accept', 'application/json, text/event-stream'); + } const init = { ...this._requestInit,