The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	May 17, 2026 5:24pm

PR Summary

High Risk
High risk because it adds a new OAuth token/secret storage model, new callback/start endpoints, and changes server CRUD/tool execution flows in security-sensitive authentication paths.

Overview
Adds outbound MCP OAuth 2.1 + PKCE support end-to-end: new /api/mcp/oauth/start + /api/mcp/oauth/callback routes drive a popup consent flow and refresh tools post-auth, with URL safety checks and state/verifier cleanup.

Introduces persisted workspace-scoped OAuth state via new mcp_server_oauth table (encrypted tokens/client info/verifier + hashed state/TTL) and extends mcp_servers with authType, optional preregistered client credentials, and hasOauthClientSecret; server create/update/delete now encrypt secrets, revoke/clear OAuth artifacts on URL/credential changes, and can auto-detect OAuth need via an unauthenticated probe.

Plumbs OAuth through runtime behavior: McpClient/McpService/McpConnectionManager accept an SDK authProvider, serialize refreshes, share managed connections per server, and surface reauth-required as 401 from tool discover/execute; UI updates add advanced OAuth fields, “Connect with OAuth” actions, and a useMcpOauthPopup hook to orchestrate popups and invalidate queries.

^{Reviewed by Cursor Bugbot for commit 43902b4. Configure here.}

Greptile Summary

This PR adds OAuth 2.1 + PKCE support for outbound MCP servers, implementing the full consent flow via a browser popup (/api/mcp/oauth/start → /api/mcp/oauth/callback), a new mcp_server_oauth DB table for encrypted per-server token storage, and auto-detection of OAuth-protected servers on creation via an unauthenticated probe.

• New SimMcpOauthProvider implements the SDK's OAuthClientProvider interface, persisting PKCE verifiers, OAuth state, client registration data, and encrypted tokens across the two-leg callback flow; the withMcpOauthRefreshLock in-process mutex serializes concurrent refresh attempts per row.
• mcp_server_oauth table holds one workspace-shared OAuth row per server (unique index on mcp_server_id); state is stored as SHA-256 hash and anchored to a separate stateCreatedAt column so token refreshes cannot extend the active-flow TTL window.
• Server PATCH and DELETE routes now verify workspace ownership before calling revokeMcpOauthTokens, and all three write paths (POST upsert, PATCH, DELETE) clear mcp_server_oauth rows when credentials change or the server is removed.

Confidence Score: 5/5

The PR is safe to merge. All the OAuth consent flow, token storage, and workspace ownership checks are properly implemented and the security issues from previous review rounds have been addressed.

All write paths (POST upsert, PATCH, DELETE) verify workspace ownership before touching OAuth state or running token revocation. Tokens are encrypted at rest, PKCE verifiers are encrypted, state is stored as a SHA-256 hash, and the active-flow TTL is anchored to a dedicated stateCreatedAt column so token refreshes cannot extend it. The two remaining comments are style-level concerns with no impact on correctness or security.

No files require special attention. apps/sim/app/workspace/[workspaceId]/settings/components/mcp/mcp.tsx removed several useMemo/useCallback wrappers that could slow render cycles in large workspaces, but this is not a correctness issue.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant Browser
    participant Start as /api/mcp/oauth/start
    participant Popup as OAuth Popup
    participant AS as Authorization Server
    participant Callback as /api/mcp/oauth/callback
    participant DB as mcp_server_oauth

    Browser->>Start: "GET ?serverId=&workspaceId="
    Start->>DB: getOrCreateOauthRow()
    Start->>AS: mcpAuth() → redirectToAuthorization throws
    Start-->>Browser: "{ status: 'redirect', authorizationUrl }"
    Browser->>Popup: window.open(authorizationUrl)
    Popup->>AS: User consents
    AS->>Callback: "GET ?code=&state="
    Callback->>DB: loadOauthRowByState(hash(state))
    Callback->>DB: clearState() (burn before exchange)
    Callback->>AS: mcpAuth() token exchange
    AS-->>Callback: access_token + refresh_token
    Callback->>DB: saveTokens() (encrypted)
    Callback->>DB: clearVerifier()
    Callback-->>Popup: "HTML + postMessage({ok:true, serverId})"
    Popup->>Browser: postMessage via window.opener
    Browser->>Browser: invalidate mcpKeys queries

_{Reviews (37): Last reviewed commit: "fix(mcp): use boolean credsChanged, not ..." | Re-trigger Greptile}

Greptile summary findings addressed in f587e82:

• Edit modal drops existing OAuth Client ID: editInitialData now includes oauthClientId; the API already returns it (only the secret is masked) so the field populates and Advanced auto-expands.
• Shared OAuth mutation disables all buttons: per-server pending tracked in a local Set<string>; the spinner is scoped to the card whose flow is in progress.
• Plaintext PKCE codeVerifier: now encrypted at rest via encryptSecret to match tokens/clientInformation.

The point about clearing a pre-registered Client ID by emptying the field is a follow-up — oauthClientId || undefined collapses an intentional clear into a no-op. Will tackle when adding TTL cleanup for abandoned OAuth sessions.

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review

@cursor review

@greptile

@cursor review

@greptile

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review

@cursor review

@greptile