Skip to content

feat(client): add initial access token support for Dynamic Client Registration#1874

Open
JosephDoUrden wants to merge 1 commit intomodelcontextprotocol:mainfrom
JosephDoUrden:feat/dcr-initial-access-token
Open

feat(client): add initial access token support for Dynamic Client Registration#1874
JosephDoUrden wants to merge 1 commit intomodelcontextprotocol:mainfrom
JosephDoUrden:feat/dcr-initial-access-token

Conversation

@JosephDoUrden
Copy link
Copy Markdown
Contributor

@JosephDoUrden JosephDoUrden commented Apr 10, 2026

Summary

Add support for OAuth 2.0 Dynamic Client Registration initial access tokens (RFC 7591 Section 3), enabling enterprise deployments that require pre-authorisation for client registration.

  • Add optional dcrRegistrationAccessToken() method to OAuthClientProvider interface
  • When implemented and returning a token, registerClient() includes an Authorization: Bearer <token> header in the DCR request
  • When not implemented or returning undefined, open registration continues as before (fully backward compatible)

Closes #772

Design decisions

Following maintainer feedback from the previous attempt (#773):

  • No environment variable fallback in the SDK — DCR tokens are per-authorisation-server, so a single env var breaks when connecting to multiple servers. Users who want env var support implement it in their OAuthClientProvider.
  • No transport-level parameters — token resolution is contained in auth.ts only.
  • Provider-based resolution — the OAuthClientProvider is the right place to resolve per-server tokens, consistent with how other credentials are handled.

Changes

  • packages/client/src/client/auth.ts:
    • Added dcrRegistrationAccessToken?() to OAuthClientProvider interface
    • Added optional initialAccessToken parameter to registerClient()
    • Updated the auth() flow to call the provider method and pass the token to registerClient()
  • packages/client/test/client/auth.test.ts:
    • Added tests for Authorization header inclusion when token is provided
    • Added test confirming no Authorization header when token is absent

Test plan

  • All 352 existing tests pass (pnpm --filter @modelcontextprotocol/client test)
  • Build passes (pnpm build:all)
  • Typecheck passes (pnpm typecheck:all)
  • Lint passes (pnpm lint:all)
  • Lefthook pre-push hooks pass (Build + Typecheck + Lint)

AI Disclosure

AI assistance (Claude) was used for issue research, reviewing the previous PR feedback, and code exploration. The implementation was written and reviewed by the author.

@JosephDoUrden
feat(client): add initial access token support for Dynamic Client Reg…
4795c6a 
…istration

Add optional `dcrRegistrationAccessToken()` method to `OAuthClientProvider`
interface, enabling OAuth 2.0 Dynamic Client Registration with initial
access tokens per RFC 7591 Section 3.

When the authorization server requires pre-authorisation for client
registration, providers can implement this method to supply a Bearer
token that is included in the DCR request. When not implemented, open
registration continues as before (fully backward compatible).

The token resolution is kept in the provider (not the SDK) as it is
per-authorisation-server, following maintainer guidance from modelcontextprotocol#773.

Closes modelcontextprotocol#772
@JosephDoUrden JosephDoUrden requested a review from a team as a code owner April 10, 2026 09:16
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 10, 2026

⚠️ No Changeset found

Latest commit: 4795c6a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Apr 10, 2026

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/@modelcontextprotocol/client@1874

@modelcontextprotocol/server

npm i https://pkg.pr.new/@modelcontextprotocol/server@1874

@modelcontextprotocol/express

npm i https://pkg.pr.new/@modelcontextprotocol/express@1874

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/@modelcontextprotocol/fastify@1874

@modelcontextprotocol/hono

npm i https://pkg.pr.new/@modelcontextprotocol/hono@1874

@modelcontextprotocol/node

npm i https://pkg.pr.new/@modelcontextprotocol/node@1874

commit: 4795c6a

@felixweinberger felixweinberger added the auth Issues and PRs related to Authentication / OAuth label Apr 13, 2026
@pcarleton
Copy link
Copy Markdown
Member

pcarleton commented Apr 14, 2026
edited
Loading

hi @JosephDoUrden do you need this feature yourself? Could you describe the setup more clearly?

The approach overall looks good, I just don't want to add it unless it's going to be used.

We've since introduced CIMD support which is often a better fit than DCR altogether.

pcarleton
pcarleton requested changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@pcarleton pcarleton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(see comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton pcarleton requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Initial Access Token Support for Dynamic Client Registration

3 participants

@JosephDoUrden @pcarleton @felixweinberger