Applicable to: On-prem control plane deployments only. Managed cloud customers are unaffected.
What Is Changing
We are removing the global (unscoped) OAuth routes from the 2025-03-26 MCP spec in favor of the scoped OAuth Protected Resource Metadata endpoints from the 2025-06-18 MCP spec (RFC 9728).
Old routes (being removed):
GET /api/svc/oauth2-mcp/.well-known/oauth-authorization-server
GET /api/svc/oauth2-mcp/.well-known/oauth-protected-resource
GET /api/svc/oauth2-mcp/authorize
POST /api/svc/oauth2-mcp/token
POST /api/svc/oauth2-mcp/register
GET /api/svc/oauth2-mcp/{tenant}/{server}/.well-known/oauth-protected-resource
GET /api/svc/oauth2-mcp/{tenant}/{server}/.well-known/oauth-authorization-server
GET /api/svc/oauth2-mcp/{tenant}/{server}/authorize
POST /api/svc/oauth2-mcp/{tenant}/{server}/token
POST /api/svc/oauth2-mcp/{tenant}/{server}/register
What You Need to Do
- Switch to the tenant-scoped MCP server URLs.
- Spec-compliant MCP clients (2025-06-18) will automatically discover and use the new endpoints via RFC 9728 Protected Resource Metadata — no manual endpoint configuration is required on the client side.
If you need help with this migration, reach out and we’ll be happy to assist.
