docs(cli): document MCP OAuth CIMD and token auth overrides#1219
Merged
Conversation
Documents the per-server oauth overrides on http MCP servers introduced by the CLI-662 CIMD work (factory-mono #14377): clientMetadataUrl and tokenEndpointAuthMethod, plus the existing override fields they interact with. Covers CIMD URL validation rules, mutual exclusivity with clientId/clientSecret, the public-client (none) requirement, and examples for a custom CIMD document and forcing tokenEndpointAuthMethod none.
Contributor
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
…p-oauth # Conflicts: # docs/cli/configuration/mcp.mdx
shashank-factory
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Droid now supports Client ID Metadata Documents (CIMD) and standards-aligned public-client defaults for remote MCP OAuth (factory-mono #14377), but the per-server
oauthoverrides inmcp.jsonhad no public documentation, so advanced deployments had no reference for supplying a custom CIMD URL or forcing a token endpoint auth method. This PR adds an "OAuth Overrides" section to the MCP configuration page documenting theoauthobject onhttpandsseservers, with emphasis on the newclientMetadataUrlandtokenEndpointAuthMethodfields.Related Issue
Closes CLI-811
Documents behavior shipped in Factory-AI/factory-mono#14377 (CLI-662).
Reviewer Guide
Read order:
docs/cli/configuration/mcp.mdx(single file).Review depth: Standard. Field semantics and constraints are transcribed from
McpOAuthOptionsSchemain factory-monopackages/common/src/settings/schema.ts; verify the prose matches shipped validation.Risk & Impact
Low risk, docs-only. Main exposure is documenting constraints inaccurately; each rule (CIMD URL shape,
clientMetadataUrlvsclientId/clientSecretexclusivity, public-clientnonerequirement,authorizationServerIssuerrequirement) was checked against the merged schema'ssuperRefinelogic.Verification
Behavior verified. Field list, types, and all four constraint rules cross-checked against
McpOAuthOptionsSchemaandMcpOAuthTokenEndpointAuthMethodon factory-monodev(cabbdad93f, post-#14377 merge); acceptance criteria from CLI-811 each map to a documented item, verified @ 299e132.Regression coverage. N/A (prose only).
Not tested. No live Mintlify preview render; table and code-fence syntax matches existing patterns on the same page. Merge with main (#1175 et al.) resolved by keeping this section over the brief inline
oauthbullet list and retaining upstream's project-config secrets Warning.Standard validators.
npx mint broken-linksclean; no other validators configured in this repo.