Add public OAuth CIMD with default hosted document and --callback-port#187
Merged
Conversation
Host a Client ID Metadata Document (CIMD) at https://apify.github.io/mcpc/client-metadata/v1.json so every mcpc installation presents a consistent client identity on CIMD-capable authorization servers. This follows the same pattern as VS Code and Claude Code. Key changes: - New docs/client-metadata/v1.json served via GitHub Pages - mcpc login now defaults to the hosted CIMD; use --no-client-metadata-url to opt out or --client-metadata-url <url> to override - OAuth callback uses fixed port range 13316-13325 to match the CIMD's registered redirect_uris (CIMD docs are static, so exact-match ports are required by most authorization servers) - Tightened CIMD URL validation per the spec: reject fragments, embedded credentials, and dot path segments - Added logo_uri, tos_uri, policy_uri to the DCR client metadata getter for branding parity with the hosted CIMD https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
Drop the branching between CIMD and non-CIMD port ranges. Using the same fixed range in all modes (CIMD, DCR, pre-registered --client-id) makes the callback port predictable for firewalls, docs, and pre-registered clients, and removes a chunk of conditional logic. Pre-registered clients can rely on RFC 8252 loopback-any-port semantics or list the mcpc range in their redirect URIs, same as before. https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
Matches the draft-ietf-oauth-client-id-metadata-document spec example URL (https://example.com/client.json) and trims 13 chars off the displayed client_id on consent screens. https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
Move client.json from docs/ to the repo root and add a minimal _config.yml excluding dev dirs, so https://apify.github.io/mcpc/ shows the project README and https://apify.github.io/mcpc/client.json serves the OAuth CIMD. Note: requires changing the GitHub Pages source in repo Settings from "main / docs" to "main / (root)". https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
- Resolve merge conflicts with origin/main (CHANGELOG, oauth-flow.ts) - Rename client.json → client-metadata.json to match VS Code's naming convention (most self-documenting industry pattern) - Add --callback-port <port> option to mcpc login, allowing callers to completely override the default port range (13316–13325) - Adopt main's 127.0.0.1 redirect URL change https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
jancurn
changed the title
- logo_uri → client-logo.svg (served via GitHub Pages) - tos_uri → LICENSE on GitHub Pages (not raw GitHub blob URL) - Remove policy_uri (no standalone privacy policy page) https://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x
4 tasks
jancurn
pushed a commit
that referenced
this pull request
Apr 18, 2026
PR #187 set `logo_uri` in client-metadata.json to https://apify.github.io/mcpc/client-logo.svg, but the file was never committed, so OAuth authorization servers consuming the CIMD got a 404 when trying to display the client logo on consent screens. Adds a Swiss Army knife illustration with an MCP emblem on the handle, matching the README's "Swiss Army knife for MCP" positioning. https://claude.ai/code/session_014ooBBpJAUWAcUkGXHpgGo8
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
mcpc now ships with a hosted Client ID Metadata Document (CIMD) so every installation presents a consistent client identity to CIMD-capable authorization servers — the same pattern used by VS Code and Claude Code.
Key changes
client-metadata.json: published at the repo root via GitHub Pages. The URL follows VS Code's naming convention (client-metadata.json) and serves as theclient_idon CIMD-capable servers.mcpc loginnow uses the hosted CIMD by default — no flags needed. Override with--client-metadata-url <url>or disable with--no-client-metadata-urlto force DCR.redirect_uris. All 10 ports × both127.0.0.1andlocalhostforms are pre-registered in the hosted document. Ports are tried in order; concurrent logins get different ports.--callback-port <port>: new flag to completely override the port (useful for pre-registered clients, CI, or environments where the default range is unavailable).validateClientMetadataUrl()now enforces the full spec — rejects fragments, embedded credentials, and./..path segments (per draft-ietf-oauth-client-id-metadata-document)._config.ymlat repo root sohttps://apify.github.io/mcpc/renders the project README. Requires changing the Pages source in repo Settings frommain/docstomain/(root).clientMetadatagetter now includeslogo_uri,tos_uri,policy_uriso DCR-registered clients also show branding.Test plan
npm run lintpassesnpm run buildpassesnpm run test:unitpasses (532 tests, 18 suites)validateClientMetadataUrl(fragment, creds, dot segments)--no-client-metadata-urlhelpmain/(root)and verify both URLs workmcpc loginagainst a CIMD-capable AShttps://claude.ai/code/session_015YnY1wPJF48HUrfdPaFJ1x