fix(auth): add Accept: application/json header to OAuth token requests

Soham Dahivalkar · Soham Dahivalkar · commit 8c1f757f06b2 · 2026-06-01T23:16:46.000+05:30
Token exchange and refresh requests only set Content-Type but omit the Accept header. Some OAuth providers (e.g. GitHub) return form-encoded data by default and require Accept: application/json to return JSON. Since _handle_token_response parses the body as JSON, omitting the Accept header causes parse failures with these providers. Add Accept: application/json to both _exchange_token_authorization_code and _build_refresh_token_request. Fixes #1523
diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py
@@ -402,7 +402,10 @@ async def _exchange_token_authorization_code(
             token_data["resource"] = self.context.get_resource_url()  # RFC 8707
 
         # Prepare authentication based on preferred method
-        headers = {"Content-Type": "application/x-www-form-urlencoded"}
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Accept": "application/json",
+        }
         token_data, headers = self.context.prepare_token_auth(token_data, headers)
 
         return httpx.Request("POST", token_url, data=token_data, headers=headers)
@@ -447,7 +450,10 @@ async def _refresh_token(self) -> httpx.Request:
             refresh_data["resource"] = self.context.get_resource_url()  # RFC 8707
 
         # Prepare authentication based on preferred method
-        headers = {"Content-Type": "application/x-www-form-urlencoded"}
+        headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Accept": "application/json",
+        }
         refresh_data, headers = self.context.prepare_token_auth(refresh_data, headers)
 
         return httpx.Request("POST", token_url, data=refresh_data, headers=headers)
