> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Legacy MCP OAuth Routes Removal — v0.134

> Legacy unscoped MCP OAuth routes are being removed in favor of scoped OAuth Protected Resource Metadata endpoints (RFC 9728).

<Warning>
  **Applicable to:** On-prem control plane deployments only. Managed cloud customers are unaffected.
</Warning>

## What Is Changing

We are removing the global (unscoped) OAuth routes from the 2025-03-26 MCP spec in favor of the scoped OAuth Protected Resource Metadata endpoints from the 2025-06-18 MCP spec ([RFC 9728](https://www.rfc-editor.org/rfc/rfc9728)).

**Old routes (being removed):**

```
GET  /api/svc/oauth2-mcp/.well-known/oauth-authorization-server
GET  /api/svc/oauth2-mcp/.well-known/oauth-protected-resource
GET  /api/svc/oauth2-mcp/authorize
POST /api/svc/oauth2-mcp/token
POST /api/svc/oauth2-mcp/register
```

**New routes (replacement):**

```
GET  /api/svc/oauth2-mcp/{tenant}/{server}/.well-known/oauth-protected-resource
GET  /api/svc/oauth2-mcp/{tenant}/{server}/.well-known/oauth-authorization-server
GET  /api/svc/oauth2-mcp/{tenant}/{server}/authorize
POST /api/svc/oauth2-mcp/{tenant}/{server}/token
POST /api/svc/oauth2-mcp/{tenant}/{server}/register
```

## What You Need to Do

1. Switch to the tenant-scoped MCP server URLs.
2. Spec-compliant MCP clients (2025-06-18) will automatically discover and use the new endpoints via RFC 9728 Protected Resource Metadata — no manual endpoint configuration is required on the client side.

***

If you need help with this migration, reach out and we'll be happy to assist.
