Skip to Content
Back to changelog

OAuth discovery and CORS fixes for MCP servers

This release improves MCP server authentication by automatically attempting OAuth discovery when servers return an auth rejected error, and fixes same-origin request failures in chat sessions.

Features

  • CLI commands tab in OpenAPI version update modal #1624  - Added a CLI commands tab to the OpenAPI version update modal for quick access to CLI-based update workflows. (Author: @simplesagar )

Bug fixes

  • OAuth discovery for MCP servers returning AuthRejectedError #1597  - When an MCP server returns a 401 without a WWW-Authenticate header, the platform now attempts OAuth discovery instead of silently skipping authentication setup. This fixes the missing authentication section for catalog MCP servers that don’t implement OAuth 2.1 natively. (Author: @simplesagar )
  • Same-origin requests in chat sessions CORS #1616  - Fixed “Origin does not match audience claim” errors for same-origin requests. The middleware now validates the Host header against audience claims when the Origin header is absent, allowing legitimate same-origin requests while still preventing cross-origin bypass attacks. (Author: @adaam2 )

Last updated on

Build with
confidence.

Ship what's next.

Build MCPGenerate SDKs